eap-ttls/mschapv2 versus eap-peap/mschapv2 behaviour

Matthew Newton mcn4 at leicester.ac.uk
Thu Jul 18 11:50:11 CEST 2013

On Thu, Jul 18, 2013 at 09:53:02AM +0100, Phil Mayers wrote:
> Setting them in authorize is only safe if you set them on *every
> pass* through authorize. You're not doing this, because you have:
> eap {
>   ok = return
> }
> ldap
> sql
> In 3.0, the "ok = return" will match on EAP-identity packets for the
> inner tunnel but *also* EAP-MSCHAPv2 success/failure packets. So,
> the final pass through the tunnel will be skipped.

Is there any benefit in returning ok here for MSCHAP
success/failure? I guess it saves one extra duplicate call to


It seems that this is likely a time when it would be better to
*not* short-circuit, i.e. the last time through authorize before
the accept/reject?


Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Devel mailing list