RADIUS message format needed to trigger EAP-TLS/EAP-TTLS negotiation

Joe Garcia joe27256 at gmail.com
Wed Nov 7 13:32:52 CET 2018


Alan DeKok <aland at deployingradius.com> wrote:

> > All the example message flows I can
> > find, e.g. in RFC 3579, have three parties involved, the client, a
> > NAS, and the RADIUS server, so the client ends up sending an
> > EAP-Response to the NAS rather than anything to the RADIUS server.
>
> That's how EAP works, yes.

In that case are we being asked to do something that's not possible,
i.e. having the client/supplicant talk directly to the RADIUS server
without a NAS involved?  That would also explain why we're having
problems with it.

> Send an EAP-Message containing an EAP-Identity.  That starts EAP.  The
> server SHOULD respond with an Access-Challenge containing an EAP-Message.
> That EAP-Message essentially says "Hi!  Let's do TTLS!"

I've tried that, and got no resonse from the server... checking RFC
3748, the EAP-Identity is sent by the authenticator, not the
client/supplicant:

      The Identity Type is used to query the identity of the peer.
      Generally, the authenticator will issue this as the initial
      Request.

Then RFC 5281 says:

   However, prior to beginning the EAP-
   TTLS authentication, the client will typically issue an EAP-
   Response/Identity packet as part of the EAP protocol

but that's the three-party version again since the client can't begin
its communication with a Response.

This sorta reinforces my suspicion (see above) that we're being asked
to implement something that may not be possible?

JG.


More information about the Freeradius-Users mailing list