Relaying EAP packets with freeradius-client

Simo Tappola simo.tappola at
Mon Sep 11 16:56:39 UTC 2023


a FreeRADIUS newbie here, with a (hopefully) basic question: I am
struggling to figure out how to use freeradius-client as NAS/authenticator
when authenticating a supplicant to freeradius-server. I already
implemented a version that calculated and verified the EAP MD5 hashes
locally (without FR client), but I would now like to move authentication
responsibilities to the server.

I am currently trying to forward EAP identity response from the supplicant,
but cannot get the server to accept my Message-Authenticator. I think I
have established that I need to add at least PW_EAP_MESSAGE (with the EAP
bytes attached) and PW_MESSAGE_AUTHENTICATOR attributes when using the FR
client, but how am I able to calculate the correct HMAC MD5 without the
packet identifier that (I think) is generated in the FR client? The secret
is configured correctly on both sides, of that I am 99,99% sure. :)

Best regards,


More information about the Freeradius-Users mailing list