How to Initiate EAP-Request Identity

JAVIER SANDOVAL javier_sandoval_ldc at yahoo.es
Tue May 5 18:55:48 CEST 2020


 Thanks Alan,
> What is an "unknown" EAP-Identity?i.e. And ID not matching any provisioned user/account (i.e. the IP address of the user, that may change)

>  In general, it's impossible to play games with packet state machines.  The devices implement particular state machines.  If you try to do something special / different, it generally won't work.
That is way I asked about, I do not know freeradius capabilities.
 > You can't ask *again* for a different Identity.  Even if you sent an EAP Identity request back, the devices would likely (a) fail EAP entirely, or (b) ignore it, or (c) send back the same identity.

That is what i am interested in, I do not think the device should ignore EAP Identity (no RFC compliant), no much difference for the device if it is the VPN server or the Radius server initiating the EAP-Identity Request. 

> Ask the vendors to fix their implementations.  :(

Not feasible. Not sure if something is wrong in fact, very unusual might be.
> Or, update the FreeRADIUS configuration to do identity checks based on some *other* field.  Look in the debug logs to see what's available.

Not sure what you mean, a different attribute in the initial Radius message from the VPN server? No one has  significance neither may be correlated with any user information available in the server.
    
Thanks for the feedback Alan, from your words I assume there is no option with Freeradius for this use-case.
 
Kind regards,
Javier

    En martes, 5 de mayo de 2020 18:34:08 CEST, Alan DeKok <aland at deployingradius.com> escribió:  
 
 On May 5, 2020, at 12:08 PM, JAVIER SANDOVAL via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> Hi experts,
> this question is a bit related with one i did last week about EAP-start support.
> Now is a slightly different use case:
> I have no expertise with freeradius and do not know how flexible Freeradius 3 may be to customize an authentication policy flow.
> The use case i am interested in is:
> Freeradius initiates a EAP Identity Request procedure when it receives and EAP-response message containing just only an EAP Identity AVP. (or if a bit more specific approach might be possible, just only when the provided EAP-identity is not known)

  What is an "unknown" EAP-Identity?

  In general, it's impossible to play games with packet state machines.  The devices implement particular state machines.  If you try to do something special / different, it generally won't work.

> The rational behind: 
> 
> Some VPN server(s) do not initiates EAP-Identity Request by itself. That may happen as it is not mandatory at RFC 5106 section 3 (EAP-Ikev2). However, the server sends to Radius server an EAP-response type Identity AVP, which is filled with the IKE-ID conveyed by the end customer. Some VPN clients include the EAP user as IKE-ID and all works normally, but some others not, and typically include as IKE-ID the IP address of the supplicant (i.e. windows 10, MAC OS native vpn clients), which is unknown for the radius/db server.

  You can't ask *again* for a different Identity.  Even if you sent an EAP Identity request back, the devices would likely (a) fail EAP entirely, or (b) ignore it, or (c) send back the same identity.

> I would appreciate your feedback, and, if feasible, some guiding or hints about how to get that policy implemented.

  Ask the vendors to fix their implementations.  :(

  Or, update the FreeRADIUS configuration to do identity checks based on some *other* field.  Look in the debug logs to see what's available.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html  


More information about the Freeradius-Users mailing list