eap-ttls/mschapv2 versus eap-peap/mschapv2 behaviour
Olivier Beytrison
olivier at heliosnet.org
Thu Jul 18 13:02:45 CEST 2013
On 18.07.2013 12:47, Phil Mayers wrote:
> On 18/07/13 10:56, Olivier Beytrison wrote:
>
>> Now I like the short-circuit concept as it save quite some uneeded
>> processing. But I'd like to have a mechanism that remove and stores any
>> attributes present in the reply (within the inner-tunnel) until the
>> mschapv2 succeeded.
>
> Ok. What, in detail, are you proposing?
Well, that the use_tunneled_reply work as expected for
EAP-PEAP/PEAPv0-MSCHAPv2 ;)
> For clarity - I think it would be a mistake for the server core to save
> all attributes from Access-Challenge and copy them to the Access-Accept;
> it would *have* to be smarter/more conditional than that, and I would
> want a way to disable it.
Sure we don't want that. But we could imagine a form of integration of
rlm_cache within eap. One of the benefit would be that we could save
attribute present in other lists (like control in my case). That way we
could work on those attributes in post-auth.
Actually I need to put them in reply (in order for them to be saved),
and in post-auth I need to remove them (or through attr_filters).
Olivier
--
Olivier Beytrison
Network & Security Engineer, HES-SO Fribourg
Mail: olivier at heliosnet.org
More information about the Freeradius-Devel
mailing list