"use_tunnel_reply" not working in EAP-PEAP (Proxied as plain MSCHAPv2) in eap.conf
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jul 7 12:24:18 CEST 2011
> In 3.x code, We are returning a RLM_MODULE_NOOP from eap_post_proxy() :
> 582 /*
> 583 * Just in case the admin lists EAP in post-proxy-type Fail.
> 584 */
> 585 if (!request->proxy_reply) return RLM_MODULE_NOOP;
>
> But we are not doing so in 2.1.11 code. We call the MSCHAPv2 callback,
> i.e. mschap_postproxy(),
> which might be wiping off the attributes.
>
> So, my question is: will adding this code patch to 2.x code prudent to
> make it work ? Or we need to fix the
> mschapv2 handler itself : mschap_postproxy() in rlm_eap_mschapv2.c,so
> that it retains the extra attributes
> sent by the RADIUS home server ?
This code is complex and needs to be treated with care. There were
changes recently related to failures when proxying PEAP inner as eap
versus non-eap, and this code was implicated.
Basically, be careful fiddling with it.
More information about the Freeradius-Users
mailing list