playing with eap2 - access-challenge instead of access-accept

Alan DeKok aland at
Sat Sep 10 14:21:49 CEST 2011

Ming-Ching Tiew wrote:
> I am playing with eap2 module using from the hostapd 0.7.3 stable ( plus Makefile modifications ). I have got it to a stage where it can be instantiated - despite a few other off topic issues. But when I put that 'eap2' in place of 'eap' in the authentication section, nothing happens, eap2 module is not invoked. So I changed it to :-
>         Auth-Type eap {
>                 eap2
>         }
> The module is then invoked. But I am still not coming close to being able get it to authenticate, because when I tested the simplest case of eap md5, this is what I got from radius debug :-

  I haven't used that module in years...

> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group eap {...}
> CTRL-EVENT-EAP-STARTED 00:00:00:00:00:00
> ==> Request
> ++[eap2] returns handled
> Sending Access-Challenge of id 250 to port 52414
> 	EAP-Message = 0x01d300061920
> 	State = 0xe3c425eb267c641f82d999e1c9808ce1
> 	Message-Authenticator = 0x00000000000000000000000000000000
> Finished request 0.

  That's PEAP.

> Verses this is what I get if I use 'eap' module :-
> [eap] Request found, released from the list
> [eap] EAP/md5

  Which is different..

> Seems eap2 is always returning access-challenge while eap is able to complete with access-accept. Is it that the rlm_eap2.c source needs further modifications ?

  See the FAQ.  If the server sends an Access-Challenge and nothing
happens... it's because the client (or EAP supplicant) has given up.

  Don't blame FreeRADIUS.

  Alan DeKok.

More information about the Freeradius-Devel mailing list