3.0.11 update broke my PEAP

Wed Feb 17 17:39:03 CET 2016

On Feb 17, 2016, at 9:09 AM, Stefan Winter <stefan.winter at restena.lu> wrote:
> Well I now changed all of them consistently to MSCHAP, and confirm that
> this works.

  That's good.

> I guess I could alternatively change all of them to MS-CHAP and it would
> still work.

  Yes.

> I still can't get my head around this... if the name doesn't matter,
> could I consistently change it to Auth-Type FOOBAR{} and it would still
> work?

  The name does matter.

  The problem is that people had *both* names, and complained that they didn't both work.  So the code was updated to allow for both in some situations.

  The result is that people had inconsistent configurations.  And... that caused problems.

> Or are both MSCHAP and MS-CHAP two reserved words for essentially the
> same thing, and using both in the same config now (as in 3.0.11+) yields
> unexpected results? And the unexpected results are the "correct" results?

  The PEAP module tries both MSCHAP and MS-CHAP.  Because the PEAP module can't tell what you really have in the "authenticate" section.

   I'll make this configurable, and explicit in the config for 3.0.12.

>>  I'm saying that the configuration never really did what you expected.  It "worked", for accidental versions of "worked".
> 
> The subtlety of why it's wrong is too subtle for me. It worked for an
> incredibly long time over many many versions. And if the two keywords
> can't co-exist in the same config then this doesn't seem documented
> anywhere.

  They can exist in the same config.  The problem is that the EAP-MSCHAPv2 module has to *guess* which one is being used.  If you have both "MSCHAP" and "MS-CHAP" in the same config, it can guess wrong.

  The solution is to make this guess explicit in the EAP-MSCHAPv2 module configuration.

  Alan DeKok.