EAP post auth reject and access-challenge

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at sath.nhs.uk
Mon Jun 10 18:29:57 CEST 2013

  I have a setup that just does admin logins for NAS equipment, some of
it presents via PAP and some of it peap/mschapv2.

When the user is rejected I do a linelog or sql insert, capturing a
failure reason from each module.

Basically an EAP reject of a user creates two entries to the logging. I
do failure logging within the inner-tunnel VS as well as the default
because I wanted it to capture a failure reason to the line log based on
the module-failure-reason string, which is lost after the eap session
rejects and can't be seen in the default. 

As you commented in an email from last week, updating the outer.control
variable to try and pass module-failure-reason doesn't work due to the
access-challenge presenting a new session.

I'm also doing some stuff in the authorization section which can reject
a user based on some ldap information. I thought I could perhaps just
update the default tunnel post-auth reject section to not do a linelog
if auth-type has been set to EAP but it doesn't work when clients are
rejected in this ldap section; the EAP auth-type is set but it never
authenticates as the reject is triggered first, and so a linelog would
never be recorded in the inner tunnel post auth reject section. I hope
that's not too confusing, it's hard to explain.


-----Original Message-----
freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradiu
s.org] On Behalf Of Phil Mayers
Sent: 10 June 2013 16:02
To: freeradius-users at lists.freeradius.org
Subject: Re: EAP post auth reject and access-challenge

On 10/06/13 15:45, Franks Andy (RLZ) IT Systems Engineer wrote:
> Hi,
>    Just wondered if someone could explain the reason why, on rejection

> of EAP authentication, an access challenge request is sent out to the 
> NAS, and whether it's something we can control or not?

I assume you're referring to the fact that the inner tunnel reject is
sent as an outer access-challenge?

The packet flow is this:

C: Access-Request   EAP / TLS-setup
S: Access-Challenge EAP / TLS-setup
C: Access-Request   EAP / TLS / inner access-request
S: Access-Challenge EAP / TLS / inner access-reject
C: Access-Request   EAP / TLS [ack]
S: Access-Reject    EAP / reject

Basically, the protocols send the inner reject as a TLS frame, so that
the client can't be tricked by a fake reject. The client then ACKs it,
and the server then sends the RADIUS-level reject.

So no, you can't turn it off - it's part of the protocol specifications.

Why is this a problem for you?
List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list