On May 3, 2020, at 3:36 PM, Jim Shi via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hi, I have a question about how the radius server keep track of clients in EAP TLS. My understanding is that EAP TLS involves a series of requests/responses. Hence the radius server needs to keep track of status for each client during the handshake. How does the radius server keep track of clients? Based on 'User-Name' in the radius packet request?
The short answer is "Does it matter?" i.e. are you writing a RADIUS server which does EAP-TLS? If not, it doesn't really matter. It works, and that's good enough. The longer answer is that this is defined in RFC 3579 (EAP over RADIUS), and RFC 2865 (how Access-Challenge works). This uses the State attribute. If you read the debug output of the server, you'll also see that it looks up EAP sessions by State. Alan DeKok.