On 18.07.2013 12:47, Phil Mayers wrote:
On 18/07/13 10:56, Olivier Beytrison wrote:
Now I like the short-circuit concept as it save quite some uneeded processing. But I'd like to have a mechanism that remove and stores any attributes present in the reply (within the inner-tunnel) until the mschapv2 succeeded.
Ok. What, in detail, are you proposing?
Well, that the use_tunneled_reply work as expected for EAP-PEAP/PEAPv0-MSCHAPv2 ;)
For clarity - I think it would be a mistake for the server core to save all attributes from Access-Challenge and copy them to the Access-Accept; it would *have* to be smarter/more conditional than that, and I would want a way to disable it.
Sure we don't want that. But we could imagine a form of integration of rlm_cache within eap. One of the benefit would be that we could save attribute present in other lists (like control in my case). That way we could work on those attributes in post-auth. Actually I need to put them in reply (in order for them to be saved), and in post-auth I need to remove them (or through attr_filters). Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org