Alan DeKok schrieb:
Andreas Hartmann wrote:
well, I thought about the problem with reauth: Why must there be passwords in the session?
There shouldn't be passwords in the session. There should be a *name* in the session.
That's why it shouldn't be necessary to have these Keys in the Session or in the response (the client didn't send any password, too).
At the moment of adding the Password to the session, the handshake has been done already.
I have no idea why you think it's adding passwords to the session. It's not.
I derived it from the PW_ prefix of the variable name, which is wrong. I know it meanwhile.
Therefore, I did the following change (-> for testing only!!!! This should be used only with EAP/tls for testing - no warranty!):
That change removes the fix added in 2.1.8. It *will* break your system.
I know that it was added because of another reported bug. And I know, that my test-change can't be a solution (as I wrote myself). The problem seems to be much deeper. Kind regards, Andreas