EAP post auth reject and access-challenge

Phil Mayers p.mayers at imperial.ac.uk
Mon Jun 10 17:01:52 CEST 2013

On 10/06/13 15:45, Franks Andy (RLZ) IT Systems Engineer wrote:
> Hi,
>    Just wondered if someone could explain the reason why, on rejection
> of EAP authentication, an access challenge request is sent out to the
> NAS, and whether it’s something we can control or not?

I assume you're referring to the fact that the inner tunnel reject is 
sent as an outer access-challenge?

The packet flow is this:

C: Access-Request   EAP / TLS-setup
S: Access-Challenge EAP / TLS-setup
C: Access-Request   EAP / TLS / inner access-request
S: Access-Challenge EAP / TLS / inner access-reject
C: Access-Request   EAP / TLS [ack]
S: Access-Reject    EAP / reject

Basically, the protocols send the inner reject as a TLS frame, so that 
the client can't be tricked by a fake reject. The client then ACKs it, 
and the server then sends the RADIUS-level reject.

So no, you can't turn it off - it's part of the protocol specifications.

Why is this a problem for you?

More information about the Freeradius-Users mailing list