double tunnel trouble...
alan buxey
A.L.M.Buxey at lboro.ac.uk
Tue Jun 26 11:53:03 CEST 2012
hi,
during recent testing/validation of authentication methods on our server
we found a problem with EAP-TTLS/EAP-MSCHAPv2
basically, after looking at the packets to see whats wrong or where things went wrong
we found the following to be the case,
the inner-tunnel calls the EAP-MSCHAPv2 method which itself is an EAP method..
the end result is two sets of some MS-MMPE keys
MS-MPPE-Send-Key
MS-MPPE-Recv-Key
these get duplicated....
our current 'fix' is to just reset these in the post-auth section of the inner-tunnel
so that only the last ones are created/dealt with - so far, that works for clients
but its a little ugly and shouldnt be needed.
post-auth {
#
# Remove the Double Sets of Keys when using ttls eap in eap
#
update reply {
MS-MPPE-Send-Key !* 0x00
MS-MPPE-Recv-Key !* 0x00
}
}
can anyone else validate this behaviour (in case its resulting from something we've done)?
alan
More information about the Freeradius-Devel
mailing list