PEAP/MSCHAP doesn't run post-auth in inner-tunnel for reject?

Phil Mayers p.mayers at imperial.ac.uk
Sat May 19 13:50:01 CEST 2012


On 05/19/2012 12:37 PM, alan buxey wrote:
> Hi,
>
>>> Am I being dumb / getting something wrong or does the post-auth session
>>> not get called if PEAP/MSCHAP returns a reject?
>>>
>>> It seems to run for successful auths, but not failures.
>>
>>    That is the case.
>>
>>> This is in the context of us not seeing log messages for EAP auth
>>> failures; I suspect that the client may just "hang up" and let the EAP
>>> session expire, and since the inner post-auth doesn't run, and the outer
>>> session expires, I have no logs.
>>
>>    There was talk about getting it to do Post-Auth-Type Reject in the
>> inner tunnel.  No code yet, tho.
>
> interesting/useful - I was seeing exactly the same behaviour last week when setting
> something up...thought I was going a bit mad and was going to post something
> to this lst next week... failed PEAP/MSCHAP doesnt enter the post-auth reject
> session whether its local or a remote (proxied) one. I did something else at the time
> as a work-around but it would be good to have the failure code hit just as PAP
> requests get

I haven't tested this, and can't easily right now, but I expect 
something similar would happen with TTLS; can you verify this? I'm 
particuarly curious to know what the difference between TTLS/PAP and 
TTLS/EAP-MSCHAPv2 would be based on the code paths involved (see -devel 
post)


More information about the Freeradius-Users mailing list