On 18.07.2013 12:15, Alan DeKok wrote:
Olivier Beytrison wrote:
This is the opportunity to discuss a the difference of behaviour between EAP-TTLS/MSCHAPv2 and EPA-PEAP/MSCHAPv2 which is bothersome.
As Phil said, it's really EAP-PEAP/EAP-MSCHAPv2. That's the source of the difference.
This mean that with EAP-PEAP/MSCHAPv2, if the ldap/sql/xxx module in authorize{} add attributes to the reply, they will be sent during the last challenge/response in authenticate{}, and will not be present in post-auth or the final access-accept.
That's what "use_tunneled_reply" is for. The reply gets cached, and sent in the final Access-Accept. This is the same behavior as 2.x.
See "accept_vps" in peap.c. Maybe you don't have "use_tunneled_reply" set?
both copy_request_to_tunnel and use_tunneled_reply are set to yes. As discussed, the code to save the VP is there. What happen on my side is that it's called on the 8th packet, whereas the ldap module has been called on the 7th packet. So there's nothing to save at this time. imho there is something to fix here. -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org