Forum Discussion
The wireless router's requests could each be unique, or they could be successive responses to the challenge. You will need to look deeper inside the packet to find out which. If they are unique requests, then the wireless router is not responding to the challenge. If they are successive requests (with embedded challenge response), then the server is not accepting the challenge response. You say this works when you bypass the F5?
From the RFC:
If all conditions are met and the RADIUS server wishes to issue a challenge to which the user must respond, the RADIUS server sends an "Access-Challenge" response.... The client then re-submits its original Access-Request with a new request ID, with the User-Password Attribute replaced by the response (encrypted), and including the State Attribute from the Access-Challenge, if any... The server can respond to this new Access-Request with either an Access-Accept, an Access-Reject, or another Access-Challenge.