Matthew Newton wrote:
There are three small commits -
It looks good. Send a pull request and I'll add it in.
I've tested it with successes and failures for PAP, EAP-TLS (check-eap-tls), PEAP and EAP-TTLS (inner-tunnel), and all work as expected.
What about proxying the inner-tunnel stuff? That probably still works, too.
The only thing I'm slightly unsure about is (1) - it seems to behave as expected, and seems the right place to put it, but I'm not 100%. On why rad_postauth was previously removed from rad_authenticate for rejects, my guess would be that there are so many places that rad_authenticate return for a reject, it would be called from several places. It's just tidier to do an if() and call it once after rad_authenticate has returned. rad_postauth is called immediately on failure, so reject_delay doesn't seem the right reason. But that's just my guess.
I don't recall. The server is getting a bit complicated. Part of the design goal of the new process.c state machine was to simplify it. I think I've been partially successful, but more work is required. Alan DeKok.