Attribute Number



3 or more octets



Allowed in

Access-Accept, Access-Reject, Access-Challenge, Access-Request

Prohibited in

Accounting-Request, Accounting-Response

Presence in Packet

Not required

Maximum Iterations

Unlimited in Access-Request and Access-Challenge packets;1 in Access-Accept and Access-Reject packets

This attribute serves as the method by which EAP messages are transmitted within a RADIUS packet. The RADIUS client machine places all of the messages received from the client into individual EAP-Message attributes and wraps them into a standard Access-Request packet. The RADIUS server then returns EAP messages in Access-Challenge, Access-Accept, and Access-Reject messages.

The Message-Authenticator attribute (detailed a bit later in this chapter) is required to be present if this attribute is used; this is to protect the integrity of RADIUS over EAP to the same degree that EAP affords transactional integrity on its side of the link. The Message-Authenticator must be used to protect all Access-Request, Access-Challenge, Access-Accept, and Access-Reject messages which hold one or more EAP-Message attributes.

Get RADIUS now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.