RADIUS message format needed to trigger EAP-TLS/EAP-TTLS negotiation
Joe Garcia
joe27256 at gmail.com
Wed Nov 7 13:32:52 CET 2018
Alan DeKok <aland at deployingradius.com> wrote:
> > All the example message flows I can
> > find, e.g. in RFC 3579, have three parties involved, the client, a
> > NAS, and the RADIUS server, so the client ends up sending an
> > EAP-Response to the NAS rather than anything to the RADIUS server.
>
> That's how EAP works, yes.
In that case are we being asked to do something that's not possible,
i.e. having the client/supplicant talk directly to the RADIUS server
without a NAS involved? That would also explain why we're having
problems with it.
> Send an EAP-Message containing an EAP-Identity. That starts EAP. The
> server SHOULD respond with an Access-Challenge containing an EAP-Message.
> That EAP-Message essentially says "Hi! Let's do TTLS!"
I've tried that, and got no resonse from the server... checking RFC
3748, the EAP-Identity is sent by the authenticator, not the
client/supplicant:
The Identity Type is used to query the identity of the peer.
Generally, the authenticator will issue this as the initial
Request.
Then RFC 5281 says:
However, prior to beginning the EAP-
TTLS authentication, the client will typically issue an EAP-
Response/Identity packet as part of the EAP protocol
but that's the three-party version again since the client can't begin
its communication with a Response.
This sorta reinforces my suspicion (see above) that we're being asked
to implement something that may not be possible?
JG.
More information about the Freeradius-Users
mailing list