Hi,
You probably have an "inner-tunnel" virtual server where you've removed "mschap" from the "authenticate" section.
I Don't. My authenticate{} in inner-tunnel is: authenticate { Auth-Type PAP{ pap_hash_debugfallback } Auth-Type MS-CHAP{ mschap_hash_debugfallback } eap } mschap_hash_debugfallback is a policy doing weird things, but one of those things is that it calls "mschap" just like the default shipped inner-tunnel does. Greetings, Stefan Winter
The EAP-MSCHAPv2 module looks up the value for "Auth-Type MSCHAP" when it starts, and caches it. But critically, that value is global. There's no guarantee that the "Auth-Type MSCHAP" section exists in the virtual server which is using EAP-MSCHAPv2.
Doing that extra validation at startup time would require some significant code changes. The EAP-MSCHAPv2 module would have to get a list of all virtual servers where it's used, and then troll through those, looking for MSCHAP modules.
Or, having the EAP-MSCHAPv2 do a dlopen() of the rlm_mschap module directly, and call it directly. That might be weirder, but simpler.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66