"use_tunnel_reply" not working in EAP-PEAP (Proxied as plain MSCHAPv2) in eap.conf

Thu Jul 7 08:55:48 CEST 2011

/
> Nitin Bhardwaj wrote:
> >  Hi,
>
>    Please edit your posts.  It's not nice to go through hundreds of lines
> of garbage in order to read the *real* content of the message.
/Alan,
I posted the output of "radiusd -X" in the previous message as is the 
norm on the mailing-list, and replied to the same in last message.
That is not a *garbage*, isn't it ?

/
> >  Found out that this works perfectly fine in freeradius 3.0.0 (master git
> >  branch).
>
>    That's nice to know.
>
> >  Can anyone please suggest which patches I need to back-port to 2.1.11 to
> >  make this work in 2.1.x branch too ?
>
>    You can't.  The code is *completely* different.
>
>    Alan DeKok.
/In 2.1.11, I observed that the problem happens when you set 
"proxy_tunneled_request_as_eap = no" (with "default_eap_type = mschapv2").
Hence it seems the function mschap_postproxy() in rlm_eap_mschapv2.c is 
somehow wiping off the extra attributes.

Comparing  radiusd -X logs of 2.x with 3.x, corroborate this observation:
-------------------------< snip-log 2.x >-------------------------------
# Executing section post-proxy from file 
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
[eap] Passing reply from proxy back into the tunnel.
server proxy-inner-tunnel {
[eap] Passing reply back for EAP-MS-CHAP-V2
# Executing section post-proxy from file 
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
   rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 
0x8e86e20 2.
   rlm_eap_mschapv2: Authentication succeeded.
MSCHAP Success
++[eap] returns ok
   WARNING: Empty post-auth section.  Using default return values.
} # server proxy-inner-tunnel
-------------------------< snip-end >-------------------------------

-------------------------< snip-log 3.x >---------------------------
(8) # Executing section post-proxy from file 
/usr/local/etc/raddb/sites-enabled/default
(8)   group post-proxy {
(8)  - entering group post-proxy {...}
(8) eap : Doing post-proxy callback
(8) eap : Passing reply from proxy back into the tunnel.
server proxy-inner-tunnel {
(8) eap : Passing reply back for EAP-MS-CHAP-V2
(8) # Executing section post-proxy from file 
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
(8)   group post-proxy {
(8)  - entering group post-proxy {...}
(8)   [eap] = noop
(8)   WARNING: Empty post-auth section.  Using default return values.
} # server proxy-inner-tunnel
-------------------------< snip-end >-------------------------------

In 3.x code, We are returning a RLM_MODULE_NOOP from eap_post_proxy() :
582     /*
583      *  Just in case the admin lists EAP in post-proxy-type Fail.
584      */
585     if (!request->proxy_reply) return RLM_MODULE_NOOP;

But we are not doing so in 2.1.11 code. We call the MSCHAPv2 callback, 
i.e. mschap_postproxy(),
which might be wiping off the attributes.

So, my question is: will adding this code patch to 2.x code prudent to 
make it work ? Or we need to fix the
mschapv2 handler itself : mschap_postproxy() in rlm_eap_mschapv2.c,so 
that it retains the extra attributes
sent by the RADIUS home server ?

Please advise.

--
Thanks,
Nitin.