On Thu, Jul 18, 2013 at 09:53:02AM +0100, Phil Mayers wrote:
Setting them in authorize is only safe if you set them on *every pass* through authorize. You're not doing this, because you have:
eap { ok = return } ldap sql
In 3.0, the "ok = return" will match on EAP-identity packets for the inner tunnel but *also* EAP-MSCHAPv2 success/failure packets. So, the final pass through the tunnel will be skipped.
Is there any benefit in returning ok here for MSCHAP success/failure? I guess it saves one extra duplicate call to ldap/sql/etc. https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_... It seems that this is likely a time when it would be better to *not* short-circuit, i.e. the last time through authorize before the accept/reject? Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>