eap-ttls/mschapv2 versus eap-peap/mschapv2 behaviour
Alan DeKok
aland at deployingradius.com
Thu Jul 18 12:15:35 CEST 2013
Olivier Beytrison wrote:
> This is the opportunity to discuss a the difference of behaviour between
> EAP-TTLS/MSCHAPv2 and EPA-PEAP/MSCHAPv2 which is bothersome.
As Phil said, it's really EAP-PEAP/EAP-MSCHAPv2. That's the source of
the difference.
> This mean that with EAP-PEAP/MSCHAPv2, if the ldap/sql/xxx module in
> authorize{} add attributes to the reply, they will be sent during the
> last challenge/response in authenticate{}, and will not be present in
> post-auth or the final access-accept.
That's what "use_tunneled_reply" is for. The reply gets cached, and
sent in the final Access-Accept. This is the same behavior as 2.x.
See "accept_vps" in peap.c. Maybe you don't have "use_tunneled_reply"
set?
Alan DeKok.
More information about the Freeradius-Devel
mailing list