Apparently, the problem is a different RFC interpretation. The EAP implemented in freeradius make a unnecessary check in handle->identity variable.
RFC 3579, Section 2.1, in the second paragraph on page 7 says: In order to permit non-EAP aware RADIUS proxies to forward the Access-Request packet, if the NAS initially sends an EAP-Request/Identity message to the peer, the NAS MUST copy the contents of the Type-Data field of the EAP-Response/Identity received from the peer into the User-Name attribute and MUST include the Type-Data field of the EAP-Response/Identity in the User-Name attribute in every subsequent Access-Request. ... This is what FreeRADIUS enforces. The text could not be more clear. It *does* go on to say: If the NAS initially sends an EAP-Request for an authentication method, and the peer identity cannot be determined from the EAP-Response, then the User-Name attribute SHOULD be determined by another means. As noted in [RFC2865] Section 5.6, it is recommended that Access-Requests use the value of the Calling-Station-Id as the value of the User-Name attribute. Note that this text does NOT contradict the previous text. Note also that the patch you supplied changes the behavior for everyone else, which is not nice. Alan DeKok.