alan buxey wrote:
during recent testing/validation of authentication methods on our server we found a problem with EAP-TTLS/EAP-MSCHAPv2
basically, after looking at the packets to see whats wrong or where things went wrong we found the following to be the case,
the inner-tunnel calls the EAP-MSCHAPv2 method which itself is an EAP method.. the end result is two sets of some MS-MMPE keys .. can anyone else validate this behaviour (in case its resulting from something we've done)?
It works for me with the current "git" head. Maybe there's something different about the client? The only thing I can see which *might* help is: rlm_eap_mschap.c: case PW_EAP_MSCHAPV2_SUCCESS: eap_ds->request->code = PW_EAP_SUCCESS; pairadd(&handler->request->reply->vps, data->mppe_keys); data->mppe_keys = NULL; /* fall through... */ It could be: case PW_EAP_MSCHAPV2_SUCCESS: eap_ds->request->code = PW_EAP_SUCCESS; if (!handler->request->parent) { pairadd(&handler->request->reply->vps, data->mppe_keys); data->mppe_keys = NULL; } /* fall through... */ That might work. Alan DeKok.