eap-ttls/mschapv2 versus eap-peap/mschapv2 behaviour
Matthew Newton
mcn4 at leicester.ac.uk
Thu Jul 18 11:50:11 CEST 2013
On Thu, Jul 18, 2013 at 09:53:02AM +0100, Phil Mayers wrote:
> Setting them in authorize is only safe if you set them on *every
> pass* through authorize. You're not doing this, because you have:
>
> eap {
> ok = return
> }
> ldap
> sql
>
> In 3.0, the "ok = return" will match on EAP-identity packets for the
> inner tunnel but *also* EAP-MSCHAPv2 success/failure packets. So,
> the final pass through the tunnel will be skipped.
Is there any benefit in returning ok here for MSCHAP
success/failure? I guess it saves one extra duplicate call to
ldap/sql/etc.
https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_eap/eap.c#L867-876
It seems that this is likely a time when it would be better to
*not* short-circuit, i.e. the last time through authorize before
the accept/reject?
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Devel
mailing list