How to force EAP-Identity Request sending after EAP START
Alan DeKok
aland at deployingradius.com
Fri May 1 19:00:22 CEST 2020
On May 1, 2020, at 12:37 PM, JAVIER SANDOVAL via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> Thanks Alan,
> I know the RFC, for start there is an exception the RFC states in 2.1EAP-Start is indicated by sending an EAP-Message attribute with a
> length of 2 (no data).
Except that the later definition of EAP-Message indicates that's wrong. And RFC 2865 says that RADIUS attributes should never be sent with zero data.
> the server seems to recognize it as EAP-start according to the log
Yes. Because there are many broken clients.
> This use case just is required to interoperate with a VPN server that do not initiates EAP-Identity Request by itself. That may happen as it is not mandatory at RFC 5106 section 3 (EAP-Ikev2).
Yes.
> In that case, the VPN server needs to tell someway to the Radius to initiate an EAP dialogue with the end customer. Using stat message is suggested also in RFC 3579 section 2.1
>
> Rather than sending an initial EAP-Request packet to the
> authenticating peer, on detecting the presence of the peer, the NAS
> MAY send an Access-Request packet to the RADIUS server containing an
> EAP-Message attribute signifying EAP-Start....
Sure. See the patch for a full fix.
Alan DeKok.
More information about the Freeradius-Users
mailing list