eap-ttls/mschapv2 versus eap-peap/mschapv2 behaviour

Phil Mayers p.mayers at imperial.ac.uk
Thu Jul 18 12:43:43 CEST 2013

On 18/07/13 10:50, Matthew Newton wrote:
> On Thu, Jul 18, 2013 at 09:53:02AM +0100, Phil Mayers wrote:
>> Setting them in authorize is only safe if you set them on *every
>> pass* through authorize. You're not doing this, because you have:
>> eap {
>>    ok = return
>> }
>> ldap
>> sql
>> In 3.0, the "ok = return" will match on EAP-identity packets for the
>> inner tunnel but *also* EAP-MSCHAPv2 success/failure packets. So,
>> the final pass through the tunnel will be skipped.
> Is there any benefit in returning ok here for MSCHAP
> success/failure? I guess it saves one extra duplicate call to
> ldap/sql/etc.

Exactly that.

> It seems that this is likely a time when it would be better to
> *not* short-circuit, i.e. the last time through authorize before
> the accept/reject?

Maybe, maybe not. This got discussed on (I think) the JANET-ROAMING list 
ages ago - people wanted it, so I wrote the patch.

I personally want to short-circuit there - we currently do it with a 
horrible regexp.

Sadly there aren't an infinity of return codes we can (ab)use, so unless 
we set an attribute, removing this code will get us back to the 
situation where using a horrible regexp to parse hex is the "solution".

More information about the Freeradius-Devel mailing list