3.0.11 update broke my PEAP
Alan DeKok
aland at deployingradius.com
Mon Feb 15 15:54:11 CET 2016
On Feb 15, 2016, at 3:06 AM, Stefan Winter <stefan.winter at restena.lu> wrote:
> this looks suspiciously like a bug to me. I updated from 3.0.10 to
> 3.0.11 with a perfectly working and unchanged configuration. In 3.0.11,
> all PEAP is broken with a slightly enigmatic error message which
> suggests my config may be sub-par; I can't really determine what should
> be wrong with it.
I added more sanity checks to give startup errors instead of run-time errors. This shouldn't cause issues for people with correct configurations.
>
> (484) eap: Calling submodule eap_mschapv2 to process data
> (484) eap_mschapv2: Auth-Type sub-section not found. Ignoring.
That's actually produced by the main modules code. EAP-MSCHAPv2 is asking the modules code to run "Auth-Type MSCHAP", and the modules code is saying "nope, this virtual server doesn't have any MS-CHAP".
You probably have an "inner-tunnel" virtual server where you've removed "mschap" from the "authenticate" section.
The EAP-MSCHAPv2 module looks up the value for "Auth-Type MSCHAP" when it starts, and caches it. But critically, that value is global. There's no guarantee that the "Auth-Type MSCHAP" section exists in the virtual server which is using EAP-MSCHAPv2.
Doing that extra validation at startup time would require some significant code changes. The EAP-MSCHAPv2 module would have to get a list of all virtual servers where it's used, and then troll through those, looking for MSCHAP modules.
Or, having the EAP-MSCHAPv2 do a dlopen() of the rlm_mschap module directly, and call it directly. That might be weirder, but simpler.
Alan DeKok.
More information about the Freeradius-Users
mailing list