Add Check Item in PEAP MSCHAP V2 authentication process

[Alan DeKok]

On Aug 29, 2016, at 5:34 AM, Tim Baledorion <timbaledorion at hotmail.com> wrote:
> I will try to rephrase my question according to your advices.

  I asked you to explain what you meant by "node" and "node identifier".  You haven't done that.

> To authenticate host in a network i'm using a Proxy Radius chain. The first element of this chain is named a Node and has a node identifier.

  What is a "node identifier" ?

> Host are connecting to the network via NAS and the Radius Server configured in the NAS is the node radius.
> 
> The host and the NAS don't know about the node identifier.

  You've just giving the same explanation as the previous message.  Why do you think this is a good idea?

> I have add a node file under /etc/raddb/policy.d/ and invoked it in /etc/raddb/sites-available/default
> 
> node.pre-proxy {
>        if ("%{request:Packet-Type}" == 'Access-Request')  {
>                update proxy-request {
>                        &NET-NodeID == "ndid-00000001"

   Where is that attribute defined?

  If you edited raddb/dictionary, did you *READ* the comments in that file?

> but when using PEAP-MSCHAPv2 authentication model the NET-NodeID item doesn't appear in the Access-Request sent to the inner-tunnel.

   Is it supposed to be there?  Why do you think it's supposed to be there?

  A proxy *cannot* modify the data inside of a TLS tunnel.  TLS is designed to prevent this...

> I join the file containing the full authentication log for a request coming from node with identifier ndid-00000001 in NET-NodeID

  Don't attach the debug log.  Include it in the message.

  And PLEASE follow instructions.  It's "radiusd -X", not "radiusd -Xx", or "radiusd -xxxxxxxx".

> Once again thank you for your support. I did my best to answer your request and give you a better view. Let me know if it is not enough.

  Read the documentation and follow it.  That helps a lot.

  Alan DeKok.