Hi Alan, Thanks for the replay, Sorry for the late reply. I understand Sending Access-Challenge is not possible with TTLS or with any EAP type since Supplicant will not be compatible to process that. I have one more question, is there a way to tell the client/supplicant to use/Access requests with specific EAP type. If the RADIUS client sends PEAP (MSCHAPV2) in the inner-tunnel I want to send supplicant (NAK request) and ask for only EAP-TTLS/PAP, so the client will resend the request with EAP-TTLS/PAP. is this Feasible by change details at inner-tunnel or server config files? Thanks Dineshkumar On Tue, Apr 2, 2024 at 7:09 PM Alan DeKok <aland@deployingradius.com> wrote:
On Apr 2, 2024, at 2:06 AM, Dineshkumar pachamuthu < dineshkumar.pachamuthu@gmail.com> wrote:
I have recently been working and developing with the freeradius EAP protocol. I need to send access-challenge request with state and Reply-Message "Enter TOTP" inside of inner-tunnel of EAP-TTLS/PAP Protocol which will prompt the user to enter TOTP and send the access request again and will process and authenticate the user for MFA.
I have gone through this solution inside the authorize section of inner-tunnel but the EAP module sends access-reject when doing this change, Please guide me in the proper direction on how to achieve this in our environment.
There is no mechanism in the EAP-TTLS protocol where you can send an Access-Challenge back to the end user device. Even if you sent a Reply-Message to it inside of the TTLS tunnel, the end user device would ignore it.
No EAP-TTLS supplicant supports prompting users with a challenge.
Alan DeKok.