double tunnel trouble...

Alan DeKok aland at deployingradius.com
Tue Jun 26 14:46:15 CEST 2012


alan buxey wrote:
> during recent testing/validation of authentication methods on our server
> we found a problem with EAP-TTLS/EAP-MSCHAPv2
> 
> basically, after looking at the packets to see whats wrong or where things went wrong
> we found the following to be the case,
> 
> the inner-tunnel calls the EAP-MSCHAPv2 method which itself is an EAP method..
> the end result is two sets of some MS-MMPE keys
..
> can anyone else validate this behaviour (in case its resulting from something we've done)?

  It works for me with the current "git" head.  Maybe there's something
different about the client?

  The only thing I can see which *might* help is: rlm_eap_mschap.c:

	case PW_EAP_MSCHAPV2_SUCCESS:
		eap_ds->request->code = PW_EAP_SUCCESS;
		pairadd(&handler->request->reply->vps, data->mppe_keys);
		data->mppe_keys = NULL;
		/* fall through... */

  It could be:

	case PW_EAP_MSCHAPV2_SUCCESS:
		eap_ds->request->code = PW_EAP_SUCCESS;
	if (!handler->request->parent) {
		pairadd(&handler->request->reply->vps, data->mppe_keys);
		data->mppe_keys = NULL;
	}
		/* fall through... */

  That might work.

  Alan DeKok.


More information about the Freeradius-Devel mailing list