eap-ttls/mschapv2 versus eap-peap/mschapv2 behaviour

Alan DeKok aland at deployingradius.com
Thu Jul 18 12:15:35 CEST 2013

Olivier Beytrison wrote:
> This is the opportunity to discuss a the difference of behaviour between
> EAP-TTLS/MSCHAPv2 and EPA-PEAP/MSCHAPv2 which is bothersome.

  As Phil said, it's really EAP-PEAP/EAP-MSCHAPv2.  That's the source of
the difference.

> This mean that with EAP-PEAP/MSCHAPv2, if the ldap/sql/xxx module in
> authorize{} add attributes to the reply, they will be sent during the
> last challenge/response in authenticate{}, and will not be present in
> post-auth or the final access-accept.

  That's what "use_tunneled_reply" is for.  The reply gets cached, and
sent in the final Access-Accept.  This is the same behavior as 2.x.

  See "accept_vps" in peap.c.  Maybe you don't have "use_tunneled_reply"

  Alan DeKok.

More information about the Freeradius-Devel mailing list