"use_tunnel_reply" not working in EAP-PEAP (Proxied as plain MSCHAPv2) in eap.conf
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jul 7 17:46:54 CEST 2011
On 07/07/11 14:43, Nitin Bhardwaj wrote:
> Thanks Phil.
>
> I found this recent patch added to 2.x, regarding inner-MSCHAP broken:
> https://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00295.html
Yes, that's what I was thinking of.
>
>
> I think this patch fixed the original issue, but the mschapv2 callback
> is not preserving *all* the attributes
> received from the home server. Any ideas on how to fix mschap_postproxy ?
It is hard. When the plain MSCHAP response comes back (as an
Access-Accept) it has to be turned into an EAP-MSCHAPv2
Access-Challenge. The PEAP attribute-saving code does not look at
Access-Challenge packets - only Access-Accept.
Basically, mschap_postproxy would need to save the attributes, then
insert them in the final Access-Accept.
>
> Another thing, this patch is not carried over to the 3.x branch and
> mschap_postproxy in both 2.x and 3.x
> are almost same (except for some DEBUG statements), so there must be
> something else different between
> 2.x and 3.x - which makes this work in 3.x and not in 2.x!!
Are you sure this is working in 3.x?
If 3.x is missing the above patch, post-proxy should fail completely;
the Access-Accept won't be re-written to an EAP-MSCHAP access-challenge,
and EAP should fail.
The (untested) patch below might help on 2.1.x:
https://github.com/philmayers/freeradius-server/commit/3c1ed71cde100268dba57cbd87953af2bfda6d87
...or for 3.x:
https://github.com/philmayers/freeradius-server/commit/6877b70f442536c93ed097f3c9f6d17d9c960b19
More information about the Freeradius-Users
mailing list