On 18/07/13 10:50, Matthew Newton wrote:
On Thu, Jul 18, 2013 at 09:53:02AM +0100, Phil Mayers wrote:
Setting them in authorize is only safe if you set them on *every pass* through authorize. You're not doing this, because you have:
eap { ok = return } ldap sql
In 3.0, the "ok = return" will match on EAP-identity packets for the inner tunnel but *also* EAP-MSCHAPv2 success/failure packets. So, the final pass through the tunnel will be skipped.
Is there any benefit in returning ok here for MSCHAP success/failure? I guess it saves one extra duplicate call to ldap/sql/etc.
Exactly that.
It seems that this is likely a time when it would be better to *not* short-circuit, i.e. the last time through authorize before the accept/reject?
Maybe, maybe not. This got discussed on (I think) the JANET-ROAMING list ages ago - people wanted it, so I wrote the patch. I personally want to short-circuit there - we currently do it with a horrible regexp. Sadly there aren't an infinity of return codes we can (ab)use, so unless we set an attribute, removing this code will get us back to the situation where using a horrible regexp to parse hex is the "solution".