Strongswan integration, Access-Request contains no credentials?

Alan DeKok aland at
Fri Mar 16 17:35:53 CET 2018

On Mar 16, 2018, at 3:57 PM, Brian Julin <BJulin at> wrote:
> Either that option is broken due to bitrot, or there is some use case in sending
> an EAP-Start *to* the client (not that I know of).  AFAICT the idea here
> would be to send it to FR, and it obviously does not.  rlm_eap does document
> that it will detect an EAP-Start and send back an identity, though normally
> it is the NAS that should handle this part of the exchange.

  That should work.

> At any rate there's a comment saying not to use the option with FR in the
> default strongswan config file:
>    # Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
>    # Doing this gives FreeRADIUS fits... some sort of hardcoded forwarding loop
>    # eap_start = yes
> ...I'm not sure if the alleged "loop" problem is still a problem

  The alleged "loop" is likely a configuration issue on their end.  I've tested FR with EAP-Start packets since the day we supported EAP.  There is no "hardcoded forwarding loop".

  The whole source is available FFS.  Anyone can read the FR source and verify that there's no "hardcoded forwarding loop" for EAP-Start.  FR just returns an EAP Identity request.

  Alan DeKok.

More information about the Freeradius-Users mailing list