eap-ttls/mschapv2 versus eap-peap/mschapv2 behaviour

Olivier Beytrison olivier at heliosnet.org
Thu Jul 18 18:14:47 CEST 2013


On 18.07.2013, at 17:42, Alan DeKok <aland at deployingradius.com> wrote:

> Olivier Beytrison wrote:
>>>  And EAP-MSCHAPv2 runs inside of PEAP.  So the code should always go
>>> EAP -> PEAP -> EAP-MSCHAPv2
>> 
>> Ran the server in gdb, and couldn't verify this. That's what I had :
> 
>  The stack trace should be much larger than that.  PEAP creates a
> "fake" request, and calls rad_authenticate() again, for the inner-tunnel
> data.
> 
Weird. That's what I get for each call to mschapv2 functions.

>> The main point I'm discussing here is that, at least on OUR side
>> eap-ttls/mschapv2 and eap-peap/peap-mschapv2 are the main method used by
>> our clients.
> 
>  Try eapol_test, and eap-ttls/EAP-MSCHAPv2.  You'll see the same thing
> as with PEAP.
Yeah it will be the same. 
> 
>> But I think, for consistency, that attributes added in authz should be
>> made available in post-auth. The base code is here (accept_vps being
>> saved), it just needs to be used at the right time.
> 
>  I think this is the same as v2, right?  Or am I missing something...
> 
>  If it's the same as v2, we'll fix it in the next release.

Well I can't tell. In my last servers running v2 I didn't implement the short-circuit logic, so the ldap module is called on every packets (those were my first freeradius server and the config is horrible)

Well I implemented the cache module as I had before, but maybe this could be an enhancement for a future release (either in then server core or through a policy using rlm_cache)

Olivier


More information about the Freeradius-Devel mailing list