Proxy PEAP to one Radius Server - EAP-TLS to another Radius Server
Alan DeKok
aland at deployingradius.com
Thu Aug 13 18:21:00 CEST 2015
On Aug 13, 2015, at 3:18 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> I wondered about that; what about the EAP-Identity packet?
RFC 3579 (EAP over RADIUS) says:
The authenticating peer and the NAS begin the EAP conversation by
negotiating use of EAP. Once EAP has been negotiated, the NAS SHOULD
send an initial EAP-Request message to the authenticating peer. This
will typically be an EAP-Request/Identity, although it could be an
EAP-Request for an authentication method (Types 4 and greater).
However, RFC 2284 (EAP) says:
Typically, the authenticator will send an initial Identity Request
followed by one or more Requests for authentication information.
However, an initial Identity Request is not required, and MAY be
bypassed in cases where the identity is presumed (leased lines,
dedicated dial-ups, etc.).
which likely means that *all* EAP sessions for 802.1X will start with Identity, and never just start an EAP type.
Alan DeKok.
More information about the Freeradius-Users
mailing list