RADIUS message format needed to trigger EAP-TLS/EAP-TTLS negotiation

[Joe Garcia]

I'm working with an embedded device that needs to authenticate to a
FreeRADIUS server using EAP-TLS or EAP-TTLS.  I don't control the
FreeRADIUS server (this means I can't provide debug output, sorry), I
just need to authenticate to it from the device, with the server
configured to talk EAP-TLS/EAP-TTLS.  The device runs custom software
that talks RADIUS, EAP, and TLS, but no matter what I try, I can't
find the right combination of messages to get the server to negotiate
one of the two TLS protocols.

I've tried the obvious option of sending a RADIUS Access-Request
containing an EAP-Message TLV with code EAP-Request, type EAP-TLS or
EAP-TTLS, but get no response from the server.  It replies to other
random requests with the expected Access-Reject, so it's responding to
requests, just not the TLS ones.  All the example message flows I can
find, e.g. in RFC 3579, have three parties involved, the client, a
NAS, and the RADIUS server, so the client ends up sending an
EAP-Response to the NAS rather than anything to the RADIUS server.

Does anyone know what I need to send from the client directly to the
FreeRADIUS server to trigger the EAP-TLS/TTLS process?  I'm looking
for something like RADIUS code, EAP code, and EAP type, along with any
other RADIUS and EAP TLVs that may be required.