On Tue, Mar 31, 2015 at 7:16 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 31, 2015, at 10:53 AM, Jouni Malinen <jkmalinen@gmail.com> wrote:
This workaround (of not sending session ticket) can also be disabled with eap_workaround=0, but it looks like that actually results in other issues with FreeRADIUS (mismatch in EAP-MSCHAPv2 header length when used within PEAP),
Hmm... I don't see that here. Do you have packet traces / debug logs?
I was going to say that I cannot reproduce it anymore, but then I remembered that I tested with number of FreeRADIUS versions today. This does not show up with 2.2.6, but does show up with 3.0.2. I didn't have a more recent 3.0.x compiled in the earlier tests, but now that I checked with 3.0.7, it looks like the issue has been fixed. The error with 3.0.2 when eap_workaround=0 is used looked like this: EAP-PEAP: TLS done, proceed to Phase 2 ... EAP-PEAP: Selected Phase 2 EAP vendor 0 method 26 EAP-MSCHAPV2: Invalid header: len=71 ms_len=33 Anyway, with that having already been addressed, eap_workaround=0 seems to work fine with both 2.2.6 and 3.0.7 and that does allow TLS session ticket to be used.
And the inner EAP data in PEAP is... stupid. Very, very, stupid. <sigh>
Indeed.. And to make it even worse, the behavior is different between PEAP v0 and v1 (or v2 that almost no one supports).. - Jouni