eap-ttls/mschapv2 versus eap-peap/mschapv2 behaviour

Alan DeKok aland at deployingradius.com
Thu Jul 18 17:42:01 CEST 2013

Olivier Beytrison wrote:
>>   And EAP-MSCHAPv2 runs inside of PEAP.  So the code should always go
> Ran the server in gdb, and couldn't verify this. That's what I had :

  The stack trace should be much larger than that.  PEAP creates a
"fake" request, and calls rad_authenticate() again, for the inner-tunnel

> The main point I'm discussing here is that, at least on OUR side
> eap-ttls/mschapv2 and eap-peap/peap-mschapv2 are the main method used by
> our clients.

  Try eapol_test, and eap-ttls/EAP-MSCHAPv2.  You'll see the same thing
as with PEAP.

> But I think, for consistency, that attributes added in authz should be
> made available in post-auth. The base code is here (accept_vps being
> saved), it just needs to be used at the right time.

  I think this is the same as v2, right?  Or am I missing something...

  If it's the same as v2, we'll fix it in the next release.

  Alan DeKok.

More information about the Freeradius-Devel mailing list