Unexpected first EAP message in Diameter

Question

So I've been looking at adding support for Diameter EAP in my server. After reading up on rfc4072 and rfc3748 I was fooled to have a general idea.

My expectation was that the client would pass a so called EAP-Start message (an empty EAP-Payload AVP) to my server. I would respond with an proper EAP request for identity (type 1) and diameter client would deliver the response to that in the new EAP-Payload and then the cycle would continue.

However, when I was looking at actual pcap traces from freeDiameter (ex this pcap) I noticed that the 1st EAP diameter request (No.6) contained an EAP Identity response (!!) already. Kind of by-passing the initial round-trip.

While I don't have a huge a problem with implementing this I would really like to know if this is by (EAP-)spec? Can you start an EAP transaction with a response with?

Answer 1

Yes - actually, that IS in the spec.

   EAP authentication is initiated by the server (authenticator),
   whereas many authentication protocols are initiated by the client
   (peer).  As a result, it may be necessary for an authentication
   algorithm to add one or two additional messages (at most one
   roundtrip) in order to run over EAP.

So you need ANY message to trigger the server to start EAP sequence. That is why usually you see the same message twice.