Ready for 2.2.7?

Jouni Malinen jkmalinen at gmail.com
Tue Mar 31 19:00:57 CEST 2015


On Tue, Mar 31, 2015 at 7:16 PM, Alan DeKok <aland at deployingradius.com> wrote:
> On Mar 31, 2015, at 10:53 AM, Jouni Malinen <jkmalinen at gmail.com> wrote:
>> This workaround (of not sending session
>> ticket) can also be disabled with eap_workaround=0, but it looks like
>> that actually results in other issues with FreeRADIUS (mismatch in
>> EAP-MSCHAPv2 header length when used within PEAP),
>
>   Hmm... I don't see that here.  Do you have packet traces / debug logs?

I was going to say that I cannot reproduce it anymore, but then I
remembered that I tested with number of FreeRADIUS versions today.
This does not show up with 2.2.6, but does show up with 3.0.2. I
didn't have a more recent 3.0.x compiled in the earlier tests, but now
that I checked with 3.0.7, it looks like the issue has been fixed.

The error with 3.0.2 when eap_workaround=0 is used looked like this:
EAP-PEAP: TLS done, proceed to Phase 2
...
EAP-PEAP: Selected Phase 2 EAP vendor 0 method 26
EAP-MSCHAPV2: Invalid header: len=71 ms_len=33

Anyway, with that having already been addressed, eap_workaround=0
seems to work fine with both 2.2.6 and 3.0.7 and that does allow TLS
session ticket to be used.

>   And the inner EAP data in PEAP is... stupid.  Very, very, stupid.  <sigh>

Indeed.. And to make it even worse, the behavior is different between
PEAP v0 and v1 (or v2 that almost no one supports)..

- Jouni


More information about the Freeradius-Users mailing list