double tunnel trouble...

alan buxey A.L.M.Buxey at
Tue Jun 26 11:53:03 CEST 2012


during recent testing/validation of authentication methods on our server
we found a problem with EAP-TTLS/EAP-MSCHAPv2

basically, after looking at the packets to see whats wrong or where things went wrong
we found the following to be the case,

the inner-tunnel calls the EAP-MSCHAPv2 method which itself is an EAP method..
the end result is two sets of some MS-MMPE keys


these get duplicated....

our current 'fix' is to just reset these in the post-auth section of the inner-tunnel
so that only the last ones are created/dealt with - so far, that works for clients
but its a little ugly and shouldnt be needed.

post-auth {

	# Remove the Double Sets of Keys when using ttls eap in eap
	update reply {
		MS-MPPE-Send-Key !* 0x00
		MS-MPPE-Recv-Key !* 0x00

can anyone else validate this behaviour (in case its resulting from something we've done)?


More information about the Freeradius-Devel mailing list