This attribute encapsulates Extended Access Protocol packets
so as to allow the NAS to authenticate dial-in users via EAP
without having to understand the EAP protocol.
The NAS places any EAP messages received from the user into one or
more EAP attributes and forwards them to the RADIUS Server as part
of the Access-Request, which can return EAP messages in Access-
Challenge, Access-Accept and Access-Reject packets.
A RADIUS Server receiving EAP messages that it does not understand
SHOULD return an Access-Reject.
The NAS places EAP messages received from the authenticating peer
into one or more EAP-Message attributes and forwards them to the
RADIUS Server within an Access-Request message. If multiple EAP-
Messages are contained within an Access-Request or Access-
Challenge packet, they MUST be in order and they MUST be
consecutive attributes in the Access-Request or Access-Challenge
packet. Access-Accept and Access-Reject packets SHOULD only have
ONE EAP-Message attribute in them, containing EAP-Success or EAP-
It is expected that EAP will be used to implement a variety of
authentication methods, including methods involving strong
cryptography. In order to prevent attackers from subverting EAP by
attacking RADIUS/EAP, (for example, by modifying the EAP-Success
or EAP-Failure packets) it is necessary that RADIUS/EAP provide
integrity protection at least as strong as those used in the EAP
Therefore the Message-Authenticator attribute MUST be used to
protect all Access-Request, Access-Challenge, Access-Accept, and
Access-Reject packets containing an EAP-Message attribute.
Access-Request packets including an EAP-Message attribute without
a Message-Authenticator attribute SHOULD be silently discarded by
the RADIUS server. A RADIUS Server supporting EAP-Message MUST
calculate the correct value of the Message-Authenticator and
silently discard the packet if it does not match the value sent.
A RADIUS Server not supporting EAP-Message MUST return an Access-
Reject if it receives an Access-Request containing an EAP-Message
attribute. A RADIUS Server receiving an EAP-Message attribute that
it does not understand MUST return an Access-Reject.Access-Challenge, Access-Accept, or Access-Reject packets
including an EAP-Message attribute without a Message-Authenticator
attribute SHOULD be silently discarded by the NAS. A NAS
supporting EAP-Message MUST calculate the correct value of the
Message-Authenticator and silently discard the packet if it does
not match the value sent.
A summary of the EAP-Message attribute format is shown below. The
fields are transmitted from left to right.
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
| Type | Length | String...
79 for EAP-Message.
The String field contains EAP packets, as defined in . If
multiple EAP-Message attributes are present in a packet their
values should be concatenated; this allows EAP packets longer than
253 octets to be passed by RADIUS.