Can an EAP-over-RADIUS request ever result in an Access-Reject?

Joe Garcia joe27256 at
Mon Jan 27 16:54:08 CET 2020

The reason for that question is based on RFC 3579, section 3.2:

  It [Message-Authenticator] MUST be used in any Access-Request, Access-
  Accept, Access-Reject or Access-Challenge that includes an EAP-Message
  attribute.  A RADIUS server receiving an Access-Request with a Message-
  Authenticator attribute present MUST calculate the correct value of the
  Message-Authenticator and silently discard the packet if it does not match
  the value sent.

What this would mean in practice is that any EAP authentication
request with an incorrect password will be silently dropped, so
there's no possibility of ever seeing an Access-Reject.  I know what
the Message-Authenticator is meant for, but since I'm just using EAP
as a transport layer for a TLS tunnel its presence is irrelevant.

Is this behavior really how it works?  How can you use an
authentication mechanism for which the behavior for an incorrect
password is indistinguishable from a network error?


More information about the Freeradius-Users mailing list