sending Challenge + EAP-Notification before Reject?

Stefan Winter stefan.winter at
Wed Feb 19 08:04:04 CET 2014


>>> Is this in any way doable with FreeRADIUS?
>>  Yes.  Arran was doing this a while ago, which is how he ran into the
>> above problem.
> It is doable with FreeRADIUS, but FreeRADIUS wasn't doing when I was 
> playing around with it.
> The NAS was translating Reply-Message into an EAP-Notification and sending
> it *after* the EAP-Success or EAP-Failure.
> This was causing wpa_supplicant to reinitialize it's state machine, and 
> restart authentication, which is how I became aware of it.

This is not what I mean... converting Reply-Message is forbidden for a
good reason (as you quote below): the authenticator can't be a
pass-through any more if he actively "fiddles" with the EAP conversation
on its own.

That's why the RFC language is so strong about the MUST about
EAP-Notification and MUST NOT of Reply-Message in presence of the
EAP-Message attribute.

> Yes you can send an EAP-Notification, but you should probably test whether 
> any supplicants will actually display it before investigating this much further.
> Back when I looked at it in 2008, only the OSX supplicant did anything useful 
> with it, and even then it was just writing it out to one of the system log files.
> You can fake a Challenge with unlang pretty easily for testing and just send it
> instead of the original EAP-Failure message.
> Use regex over %{hex:EAP-Message} to extract required ID field value.
> and to set the response type:
> update response {
> 	Response-Packet-Type := Access-Challenge
> }
> You may have to set the Response-Packet-Type immediately after calling EAP, 
> I don't know if setting it in Post-Auth REJECT will work, and you'll also need
> FreeRADIUS 3.0.1 or higher.

Well, that's better than nothing certainly. Guess what: I'm asking this
question because we are currently setting up what we call an "EAP Lab"
(working title) where a (Free- and others) RADIUS server can be tuned to
behave "non-normal" so that we can test supplicant behaviour in such
unusual situations. We were primarily aiming at "what if the server
cert's issuing CA suddently changes" and the like, but EAP-Notification
is great test vector to include.

We'll put your recipe above to the test on that lab and will ask back if
in doubt (certainly :-) ) ... The EAP lab website is WIP, but you can
always already go here: and click around.


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8A39DC66.asc
Type: application/pgp-keys
Size: 3243 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list