Relaying EAP packets with freeradius-client

Alan DeKok aland at
Mon Sep 11 17:44:10 UTC 2023

On Sep 11, 2023, at 12:56 PM, Simo Tappola <simo.tappola at> wrote:
> a FreeRADIUS newbie here, with a (hopefully) basic question: I am
> struggling to figure out how to use freeradius-client as NAS/authenticator
> when authenticating a supplicant to freeradius-server.

  The short answer is you don't.  The freeradius-client library is intended to do RADIUS.  EAP is substantially more complex.

  If you need to implement EAP, then I would suggest looking at hostap / wpa_supplicant.  It has a large set of EAP methods available, and is very well documented.  It even has a basic RADIUS client which is used in the eapol_test program.

> I am currently trying to forward EAP identity response from the supplicant,
> but cannot get the server to accept my Message-Authenticator.

  The code to calculate Message-Authenticator is online in many places, including in FreeRADIUS.

  The freeradius-client library doesn't do Message-Authenticator, but that shouldn't be too hard to add.

> I think I
> have established that I need to add at least PW_EAP_MESSAGE (with the EAP
> bytes attached) and PW_MESSAGE_AUTHENTICATOR attributes when using the FR
> client, but how am I able to calculate the correct HMAC MD5 without the
> packet identifier that (I think) is generated in the FR client? The secret
> is configured correctly on both sides, of that I am 99,99% sure. :)

  I have to ask why you're writing yet another EAP library.  There's already source code available in hostap.

  Plus, EAP-MD5 isn't any better than CHAP.  It's 99.9% CHAP, but just wrapped in an EAP layer.  It adds complexity for no additional benefit.

  So rather than talking about technical details, perhaps you can explain why you need to do EAP, and why you're re-implementing EAP.

  It's 2023... I would very much suggest just using PAP.  It's secure, and it's fine.

  Alan DeKok.

More information about the Freeradius-Users mailing list