How to Initiate EAP-Request Identity
Alan DeKok
aland at deployingradius.com
Tue May 5 18:33:59 CEST 2020
On May 5, 2020, at 12:08 PM, JAVIER SANDOVAL via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> Hi experts,
> this question is a bit related with one i did last week about EAP-start support.
> Now is a slightly different use case:
> I have no expertise with freeradius and do not know how flexible Freeradius 3 may be to customize an authentication policy flow.
> The use case i am interested in is:
> Freeradius initiates a EAP Identity Request procedure when it receives and EAP-response message containing just only an EAP Identity AVP. (or if a bit more specific approach might be possible, just only when the provided EAP-identity is not known)
What is an "unknown" EAP-Identity?
In general, it's impossible to play games with packet state machines. The devices implement particular state machines. If you try to do something special / different, it generally won't work.
> The rational behind:
>
> Some VPN server(s) do not initiates EAP-Identity Request by itself. That may happen as it is not mandatory at RFC 5106 section 3 (EAP-Ikev2). However, the server sends to Radius server an EAP-response type Identity AVP, which is filled with the IKE-ID conveyed by the end customer. Some VPN clients include the EAP user as IKE-ID and all works normally, but some others not, and typically include as IKE-ID the IP address of the supplicant (i.e. windows 10, MAC OS native vpn clients), which is unknown for the radius/db server.
You can't ask *again* for a different Identity. Even if you sent an EAP Identity request back, the devices would likely (a) fail EAP entirely, or (b) ignore it, or (c) send back the same identity.
> I would appreciate your feedback, and, if feasible, some guiding or hints about how to get that policy implemented.
Ask the vendors to fix their implementations. :(
Or, update the FreeRADIUS configuration to do identity checks based on some *other* field. Look in the debug logs to see what's available.
Alan DeKok.
More information about the Freeradius-Users
mailing list