Dear all, I'm trying to setup EAP-MD5 authentication with a NAS that's looking bogus in my opinion. The exchange start correctly, the NAS is sending an Access-Request packet with an EAP Response giving its identity The server is responding by an Access-Challenge and a state variable. Then, the NAS is send an second Access-Request with the challenge and the state variable. The server is responding by an Access-Reject because there is "No EAP session matching the State variable". After comparing the exchange with the provided test tool "radtest -t eap-md5", I have noticed a difference in the message EAP identifiers used (not the RADIUS identifier) With the "radtest" client, the first sent Access-Request message contains a random EAP identifier generated by the client. The server answer with an "Access-Challenge" changing the EAP identifier to its own identifier (different from the one provided by the client) and the state variable. The "radtest" client then send the challenge response using the EAP identifier received from the server (and forgetting the one it has used for its first message). The server keep the EAP identifier in the last message sent (Access-Accept). In the case of the bogus NAS I'm testing, it's quite different. The NAS send the first message with its own EAP identifier (normal). The server respond with a new EAP identifier that it has generated (seems normal). The NAS send the second message with a newly EAP identifier (different from the first one it has used and from the one received from the server) The server then complains about "No EAP session matching the State variable" and send a "Access-Reject" I think this message is because of EAP identifier mismatch as the NAS didn't use the EAP identifier chosen by the server. Can someone can confirm that the EAP identifier to be used in the exchange is the one chosen by the server? Best regards, Sebastien.