How to force EAP-Identity Request sending after EAP START
Alan DeKok
aland at deployingradius.com
Fri May 1 18:02:12 CEST 2020
On May 1, 2020, at 11:48 AM, JAVIER SANDOVAL via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> Thanks a lot Alan,
> sometime ago I commented some options in eap.conf to leave just eap-mschapv2, and also applied filter attr_filter.access_challenge.post-auth to remove some attributes in access-challenge. Also think I enabled eap in authorize/auth (i think under /etc/raddb/sites-enabled/inner-tunnel). I do not think I did more. EAP was working, EAP-start is a new use case I need to support.
OK.
> I have removed the access-challenge filter to check but have the same result.
> The full debug of the access-attmpt
> (0) Received Access-Request Id 5 from 10.0.87.205:64385 to 192.168.99.9:1812 length 152
> (0) User-Name = "swan"
> (0) Acct-Session-Id = "172.172.172.40-172.20.182.6:4500-1588347078"
> (0) Calling-Station-Id = "172.20.182.6:4500"
> (0) Called-Station-Id = "172.172.172.40"
> (0) NAS-Port-Id = "tunnel-1.public:40"
> (0) NAS-Identifier = "vBNG"
> (0) EAP-Message = 0x
Yeah, that's a problem. The EAP peer MUST NOT send an empty EAP-Message attribute. See RFC 3579 Section 3.1. It should instead send 2 byte EAP start message.
Or, more commonly, an EAP Identity. Which is what 99.999% of EAP peers do.
It's not clear why you need to support EAP-Start. Perhaps explaining that may help.
> Not sure if you refer to this debug.
Yes.
I've pushed a fix, which will be in the next release.
Alan DeKok.
More information about the Freeradius-Users
mailing list