eap-ttls/mschapv2 versus eap-peap/mschapv2 behaviour

Olivier Beytrison olivier at heliosnet.org
Thu Jul 18 15:59:16 CEST 2013 

On 18.07.2013 14:37, Alan DeKok wrote:
> Olivier Beytrison wrote:
>> in authorize, when eap (eap_peap) return "handled", the ldap module is
>> executed, and adds attributes to the reply.
>> It the goes to authenticate and EAP is called again, but only eap and
>> peap_mschapv2 are executed, not eap_peap.
> 
>   I'm not sure what that means.  There's EAP-MSCHAPv2, but not
> peap-mschapv2.

Yeah sorry, made a typo, it's eap_mschapv2

>   And EAP-MSCHAPv2 runs inside of PEAP.  So the code should always go
> EAP -> PEAP -> EAP-MSCHAPv2

Ran the server in gdb, and couldn't verify this. That's what I had :

#0  mschapv2_authenticate (arg=0x8dc7e0, handler=0x924a50) at
src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c:371
#1  0x00007fffeff8a35b in eap_module_call (handler=0x924a50,
module=<optimized out>) at src/modules/rlm_eap/eap.c:217
#2  0x00007fffeff8a758 in eap_method_select (inst=0x8b8e10,
handler=<optimized out>) at src/modules/rlm_eap/eap.c:473
#3  0x00007fffeff89de3 in mod_authenticate (request=0x917220,
instance=0x8b8e10) at src/modules/rlm_eap/rlm_eap.c:302
#4  mod_authenticate (instance=0x8b8e10, request=0x917220) at
src/modules/rlm_eap/rlm_eap.c:262
#5  0x000000000041e410 in call_modsingle (request=0x917220, component=0,
sp=<optimized out>) at src/main/modcall.c:311
#6  modcall (component=0, c=0x8e2fe0, request=<optimized out>) at
src/main/modcall.c:796

no peap in the stack. eap_mschapv2 is directly run from EAP

The main point I'm discussing here is that, at least on OUR side
eap-ttls/mschapv2 and eap-peap/peap-mschapv2 are the main method used by
our clients.

And we get different behaviour on the server (okay they are two
different eap types with different flows).

With ttls we can set attributes in authz and use them in post-auth, with
peap we can't.

Now if this will remain because of the design, the protocols ect, it
should be documented, and I'll setup the cache module again.

But I think, for consistency, that attributes added in authz should be
made available in post-auth. The base code is here (accept_vps being
saved), it just needs to be used at the right time.

Full debug of a eap-peap/mschapv2 :
https://gist.github.com/olivierbeytrison/912b9aa8e0ebc3cc0385

full debug of an eap-ttls/mschapv2 :
https://gist.github.com/olivierbeytrison/3ca76806d015ad108104

Olivier
--
 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mail: olivier at heliosnet.org

More information about the Freeradius-Devel mailing list