eap-ttls/mschapv2 versus eap-peap/mschapv2 behaviour

Olivier Beytrison olivier at heliosnet.org
Thu Jul 18 12:57:00 CEST 2013

On 18.07.2013 12:15, Alan DeKok wrote:
> Olivier Beytrison wrote:
>> This is the opportunity to discuss a the difference of behaviour between
>> EAP-TTLS/MSCHAPv2 and EPA-PEAP/MSCHAPv2 which is bothersome.
>    As Phil said, it's really EAP-PEAP/EAP-MSCHAPv2.  That's the source of
> the difference.
>> This mean that with EAP-PEAP/MSCHAPv2, if the ldap/sql/xxx module in
>> authorize{} add attributes to the reply, they will be sent during the
>> last challenge/response in authenticate{}, and will not be present in
>> post-auth or the final access-accept.
>    That's what "use_tunneled_reply" is for.  The reply gets cached, and
> sent in the final Access-Accept.  This is the same behavior as 2.x.
>    See "accept_vps" in peap.c.  Maybe you don't have "use_tunneled_reply"
> set?

both copy_request_to_tunnel and use_tunneled_reply are set to yes.

As discussed, the code to save the VP is there. What happen on my side 
is that it's called on the 8th packet, whereas the ldap module has been 
called on the 7th packet. So there's nothing to save at this time.

imho there is something to fix here.

  Olivier Beytrison
  Network & Security Engineer, HES-SO Fribourg
  Mail: olivier at heliosnet.org

More information about the Freeradius-Devel mailing list