It might be sufficient to authenticate on other networks, but on freenode, it is not.
Use case scenario, getting on the freenode network via TOR by using the SASL EXTERNAL option (which is required on freenode btw).
I think the solution would be to explicitly tell the server that you're planning on using EXTERNAL authentication.
-> CAP LS
<- :rajaniemi.freenode.net CAP * LS :account-notify extended-join identify-msg multi-prefix sasl
-> CAP REQ sasl
<- :rajaniemi.freenode.net CAP * ACK :sasl
-> AUTHENTICATE EXTERNAL
<- AUTHENTICATE +
-> AUTHENTICATE +
This is what the handshake should look like.