Alan DeKok <aland@deployingradius.com> wrote:
All the example message flows I can find, e.g. in RFC 3579, have three parties involved, the client, a NAS, and the RADIUS server, so the client ends up sending an EAP-Response to the NAS rather than anything to the RADIUS server.
That's how EAP works, yes.
In that case are we being asked to do something that's not possible, i.e. having the client/supplicant talk directly to the RADIUS server without a NAS involved? That would also explain why we're having problems with it.
Send an EAP-Message containing an EAP-Identity. That starts EAP. The server SHOULD respond with an Access-Challenge containing an EAP-Message. That EAP-Message essentially says "Hi! Let's do TTLS!"
I've tried that, and got no resonse from the server... checking RFC 3748, the EAP-Identity is sent by the authenticator, not the client/supplicant: The Identity Type is used to query the identity of the peer. Generally, the authenticator will issue this as the initial Request. Then RFC 5281 says: However, prior to beginning the EAP- TTLS authentication, the client will typically issue an EAP- Response/Identity packet as part of the EAP protocol but that's the three-party version again since the client can't begin its communication with a Response. This sorta reinforces my suspicion (see above) that we're being asked to implement something that may not be possible? JG.