Question about EAP-TTLS session resumption

Alan DeKok aland at
Mon Apr 29 16:34:55 CEST 2013

stefan.paetow at wrote:
> However, when you go to the bottom of the output, where the request for user 'steve' (who is a valid user, and for whom a correct password was supplied) is sent, the request fails. The session for 'steve' is partial and stops prematurely, which leads me to believe that the EAP-TTLS client (the JRadius EAPTTLSAuthenticator bean) is not complying with the RFC, i.e. restart the EAP session, negotiate a fresh tunnel, and then attempt to authenticate the valid user 'steve' with the given password.

  Except it's not a request for "steve":

	User-Name = "steve"
	EAP-Message = 0x0200000801626f62

  The EAP-Message says that the EAP Identity is for user "bob".

  The EAP client you're using is broken.  Fix that before you try
anything else.

> Based on the debug output, it appears that the client simply re-uses the existing tunnel, which, according to the RFC and your confirmation, is not correct. So thanks for confirming that part of the theory. :-)

  Likely, yes.

> To prove that, I've just had a bit more of a play-around with the Java webapp, and when we restart it between authentication requests, the correct process is followed, i.e. establish an EAP session, negotiate a tunnel, attempt authentication, and every session is complete. I'll have a word with David over at Coova about the bean in question.

  Sounds like a plan.

  Alan DeKok.

More information about the Freeradius-Users mailing list