Ready for 2.2.7?
Jouni Malinen
jkmalinen at gmail.com
Tue Mar 31 19:00:57 CEST 2015
On Tue, Mar 31, 2015 at 7:16 PM, Alan DeKok <aland at deployingradius.com> wrote:
> On Mar 31, 2015, at 10:53 AM, Jouni Malinen <jkmalinen at gmail.com> wrote:
>> This workaround (of not sending session
>> ticket) can also be disabled with eap_workaround=0, but it looks like
>> that actually results in other issues with FreeRADIUS (mismatch in
>> EAP-MSCHAPv2 header length when used within PEAP),
>
> Hmm... I don't see that here. Do you have packet traces / debug logs?
I was going to say that I cannot reproduce it anymore, but then I
remembered that I tested with number of FreeRADIUS versions today.
This does not show up with 2.2.6, but does show up with 3.0.2. I
didn't have a more recent 3.0.x compiled in the earlier tests, but now
that I checked with 3.0.7, it looks like the issue has been fixed.
The error with 3.0.2 when eap_workaround=0 is used looked like this:
EAP-PEAP: TLS done, proceed to Phase 2
...
EAP-PEAP: Selected Phase 2 EAP vendor 0 method 26
EAP-MSCHAPV2: Invalid header: len=71 ms_len=33
Anyway, with that having already been addressed, eap_workaround=0
seems to work fine with both 2.2.6 and 3.0.7 and that does allow TLS
session ticket to be used.
> And the inner EAP data in PEAP is... stupid. Very, very, stupid. <sigh>
Indeed.. And to make it even worse, the behavior is different between
PEAP v0 and v1 (or v2 that almost no one supports)..
- Jouni
More information about the Freeradius-Users
mailing list