Reply-Message and Eap

Sam Hartman hartmans at
Wed Mar 4 14:09:01 CET 2015

so, I understand why it would be confusing to have both a Reply-Message
and an Eap-Message in the same packet.

I'm a bit confused why it's desirable to insert an EAP failure into a
packet in an access reject case.  We'd like to do a better job of error
reporting back to ABFAB clients than "Uh, it failed."  for some things
we can use Error-Cause as we discussed previously.

However it would be really nice to get a text string back too.

What I'd like to do is send back  a packet  with no EAP message  and a
Will that break things?

would it be reasonable to update policy to prefer keeping Reply-Message
over replacing Reply-Message with an EAP failure in the case where we're
handling a reject that currently has no EAP message at all?  I.E. we
rejected before eap got called in authorize/authenticate, or unlang
removed Eap-Message.


More information about the Freeradius-Devel mailing list