sending Challenge + EAP-Notification before Reject?

Stefan Winter stefan.winter at
Tue Feb 18 16:14:36 CET 2014


recently, RFC4284 was brought to my attention, which speaks of ways to
notify EAP peers that there is no service for them - with a displayable
message as EAP-Notification in a Access-Challenge before the final
EAP-Failure in a Reject.

Is this in any way doable with FreeRADIUS?

I'm thinking of two scenarios primarily:

* FreeRADIUS proxy can't reach home server, so writes "Sorry, your home
server is unreachable" in a Challenge+EAP-Notification and after the
next Request then crafts Reject.

* FreeRADIUS sees the realm, figures that it's not wanted, so writes "We
don't serve that realm here." and then after the subsequent Request
sends Access-Reject.

I could also imagine that it could signal its own module failures as
reason; e.g. if an rlm_sql doesn't work, instead of an immediate reject
or do_not_reply it could send an extra round with "Unable to
authenticate you: rlm_sql failed. Try again later"; and only then the

I have no clue how to configure such a behaviour. Is it possible at all?


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8A39DC66.asc
Type: application/pgp-keys
Size: 3243 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list