How I can properly send error reasons for EAP requests Access-Reject?

Matthew Newton mcn at
Wed Aug 3 15:31:32 UTC 2022

On 03/08/2022 16:24, work vlpl wrote:
> I have a requirement to provide the reason why authentication failed.
> For non-EAP clients, it is easy just include Reply-Message in
> Access-Reject packet. But for EAP clients RFC says Reply-Message
> should not be sent with EAP-Message together.

Because the NAS gets the Reply-Message attribute, not the end user 
device, which only sees the EAP transaction.

So Reply-Message will never get to the user.

> And I've read RFC 3579 more.

No EAP supplicants display a message back to the user.

So there's no point worrying what any of the RFCs say. If the 
supplicants being used don't do it, then you can't do it.


More information about the Freeradius-Users mailing list