How to Initiate EAP-Request Identity
javier_sandoval_ldc at yahoo.es
Wed May 6 14:30:57 CEST 2020
it is clear a communication problem.
I have it working, Believe it.
I guess the problem is you think end customer EAP Identity need to change at some time for this use case, but it doesn´t. I likely explain badly the use-case.
It is not the case, you have two elements. the VPN server telling initially to the Radius server one EAP-identity that it derived from IKE-ID (as the VPN server does not explicitly ask for the EAP-Identity), and the end customer telling the Radius server its real EAP-Identity after requested by Radius.
I am happy to know I might finally get sending EAP-Identity Request from Freeradius for this case. That was part of my initial question.
En miércoles, 6 de mayo de 2020 13:56:06 CEST, Alan DeKok <aland at deployingradius.com> escribió:
On May 6, 2020, at 5:20 AM, JAVIER SANDOVAL <javier_sandoval_ldc at yahoo.es> wrote:
> Very interesting your speech but nothing to do with the real thing.
This is fundamentally a communication problem. You're not saying what you're doing, and you're misunderstanding what I say.
When I say "the other end won't do what you want", your conclusion should *not* be "FreeRADIUS can't do it". That's not what I said. Such a response is not appropriate.
> I have the setup working with a different AAA solution in the market, there is zero problems for the windows VPN clients to work when Radius send the identity-Request. It definitely works perfectly.
Post PCAP files.
> I have neither ideas nor opinions about EAP.
That's clearly not true. I suggest telling the truth.
> asking for the EAP-identity it is quite normal for several uses-cases and its is quite clear at the RFCs.
Will the other end *change* it's identity response as you were implying? Or, send back the same response as I suggested?
The RFCs absolutely do not say "Oh, if you ask *enough*, then the other end will send you the *real* identity you want".
> For different reasons, I needed to asses the possibility of this use-case with Freeradius, that was all.
> Freeradius is not a problem at all. I like it, I was just asking about the integration with this use-case and asking for advice.
FreeRADIUS can do just about anything.
You *can* make FreeRADIUS do whatever you want, including sending EAP-Identity requests.
More information about the Freeradius-Users