On Aug 13, 2015, at 3:18 PM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
I wondered about that; what about the EAP-Identity packet?
RFC 3579 (EAP over RADIUS) says: The authenticating peer and the NAS begin the EAP conversation by negotiating use of EAP. Once EAP has been negotiated, the NAS SHOULD send an initial EAP-Request message to the authenticating peer. This will typically be an EAP-Request/Identity, although it could be an EAP-Request for an authentication method (Types 4 and greater). However, RFC 2284 (EAP) says: Typically, the authenticator will send an initial Identity Request followed by one or more Requests for authentication information. However, an initial Identity Request is not required, and MAY be bypassed in cases where the identity is presumed (leased lines, dedicated dial-ups, etc.). which likely means that *all* EAP sessions for 802.1X will start with Identity, and never just start an EAP type. Alan DeKok.