On 18.07.2013 14:37, Alan DeKok wrote:
Olivier Beytrison wrote:
in authorize, when eap (eap_peap) return "handled", the ldap module is executed, and adds attributes to the reply. It the goes to authenticate and EAP is called again, but only eap and peap_mschapv2 are executed, not eap_peap.
I'm not sure what that means. There's EAP-MSCHAPv2, but not peap-mschapv2.
Yeah sorry, made a typo, it's eap_mschapv2
And EAP-MSCHAPv2 runs inside of PEAP. So the code should always go EAP -> PEAP -> EAP-MSCHAPv2
Ran the server in gdb, and couldn't verify this. That's what I had : #0 mschapv2_authenticate (arg=0x8dc7e0, handler=0x924a50) at src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c:371 #1 0x00007fffeff8a35b in eap_module_call (handler=0x924a50, module=<optimized out>) at src/modules/rlm_eap/eap.c:217 #2 0x00007fffeff8a758 in eap_method_select (inst=0x8b8e10, handler=<optimized out>) at src/modules/rlm_eap/eap.c:473 #3 0x00007fffeff89de3 in mod_authenticate (request=0x917220, instance=0x8b8e10) at src/modules/rlm_eap/rlm_eap.c:302 #4 mod_authenticate (instance=0x8b8e10, request=0x917220) at src/modules/rlm_eap/rlm_eap.c:262 #5 0x000000000041e410 in call_modsingle (request=0x917220, component=0, sp=<optimized out>) at src/main/modcall.c:311 #6 modcall (component=0, c=0x8e2fe0, request=<optimized out>) at src/main/modcall.c:796 no peap in the stack. eap_mschapv2 is directly run from EAP The main point I'm discussing here is that, at least on OUR side eap-ttls/mschapv2 and eap-peap/peap-mschapv2 are the main method used by our clients. And we get different behaviour on the server (okay they are two different eap types with different flows). With ttls we can set attributes in authz and use them in post-auth, with peap we can't. Now if this will remain because of the design, the protocols ect, it should be documented, and I'll setup the cache module again. But I think, for consistency, that attributes added in authz should be made available in post-auth. The base code is here (accept_vps being saved), it just needs to be used at the right time. Full debug of a eap-peap/mschapv2 : https://gist.github.com/olivierbeytrison/912b9aa8e0ebc3cc0385 full debug of an eap-ttls/mschapv2 : https://gist.github.com/olivierbeytrison/3ca76806d015ad108104 Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org