eap-ttls/mschapv2 versus eap-peap/mschapv2 behaviour

Olivier Beytrison olivier at heliosnet.org
Thu Jul 18 13:02:45 CEST 2013

On 18.07.2013 12:47, Phil Mayers wrote:
> On 18/07/13 10:56, Olivier Beytrison wrote:
>> Now I like the short-circuit concept as it save quite some uneeded
>> processing. But I'd like to have a mechanism that remove and stores any
>> attributes present in the reply (within the inner-tunnel) until the
>> mschapv2 succeeded.
> Ok. What, in detail, are you proposing?

Well, that the use_tunneled_reply work as expected for 

> For clarity - I think it would be a mistake for the server core to save
> all attributes from Access-Challenge and copy them to the Access-Accept;
> it would *have* to be smarter/more conditional than that, and I would
> want a way to disable it.

Sure we don't want that. But we could imagine a form of integration of 
rlm_cache within eap. One of the benefit would be that we could save 
attribute present in other lists (like control in my case). That way we 
could work on those attributes in post-auth.

Actually I need to put them in reply (in order for them to be saved), 
and in post-auth I need to remove them (or through attr_filters).


  Olivier Beytrison
  Network & Security Engineer, HES-SO Fribourg
  Mail: olivier at heliosnet.org

More information about the Freeradius-Devel mailing list