Hi experts, this question is a bit related with one i did last week about EAP-start support. Now is a slightly different use case: I have no expertise with freeradius and do not know how flexible Freeradius 3 may be to customize an authentication policy flow. The use case i am interested in is: Freeradius initiates a EAP Identity Request procedure when it receives and EAP-response message containing just only an EAP Identity AVP. (or if a bit more specific approach might be possible, just only when the provided EAP-identity is not known) The rational behind: Some VPN server(s) do not initiates EAP-Identity Request by itself. That may happen as it is not mandatory at RFC 5106 section 3 (EAP-Ikev2). However, the server sends to Radius server an EAP-response type Identity AVP, which is filled with the IKE-ID conveyed by the end customer. Some VPN clients include the EAP user as IKE-ID and all works normally, but some others not, and typically include as IKE-ID the IP address of the supplicant (i.e. windows 10, MAC OS native vpn clients), which is unknown for the radius/db server. I would appreciate your feedback, and, if feasible, some guiding or hints about how to get that policy implemented. Kind regards, Javier