18 Jul
2013
18 Jul
'13
6:15 a.m.
Olivier Beytrison wrote:
This is the opportunity to discuss a the difference of behaviour between EAP-TTLS/MSCHAPv2 and EPA-PEAP/MSCHAPv2 which is bothersome.
As Phil said, it's really EAP-PEAP/EAP-MSCHAPv2. That's the source of the difference.
This mean that with EAP-PEAP/MSCHAPv2, if the ldap/sql/xxx module in authorize{} add attributes to the reply, they will be sent during the last challenge/response in authenticate{}, and will not be present in post-auth or the final access-accept.
That's what "use_tunneled_reply" is for. The reply gets cached, and sent in the final Access-Accept. This is the same behavior as 2.x. See "accept_vps" in peap.c. Maybe you don't have "use_tunneled_reply" set? Alan DeKok.