eap-ttls/mschapv2 versus eap-peap/mschapv2 behaviour
Alan DeKok
aland at deployingradius.com
Thu Jul 18 17:42:01 CEST 2013
Olivier Beytrison wrote:
>> And EAP-MSCHAPv2 runs inside of PEAP. So the code should always go
>> EAP -> PEAP -> EAP-MSCHAPv2
>
> Ran the server in gdb, and couldn't verify this. That's what I had :
The stack trace should be much larger than that. PEAP creates a
"fake" request, and calls rad_authenticate() again, for the inner-tunnel
data.
> The main point I'm discussing here is that, at least on OUR side
> eap-ttls/mschapv2 and eap-peap/peap-mschapv2 are the main method used by
> our clients.
Try eapol_test, and eap-ttls/EAP-MSCHAPv2. You'll see the same thing
as with PEAP.
> But I think, for consistency, that attributes added in authz should be
> made available in post-auth. The base code is here (accept_vps being
> saved), it just needs to be used at the right time.
I think this is the same as v2, right? Or am I missing something...
If it's the same as v2, we'll fix it in the next release.
Alan DeKok.
More information about the Freeradius-Devel
mailing list