3.0.11 update broke my PEAP

Alan DeKok aland at deployingradius.com
Mon Feb 15 15:54:11 CET 2016

On Feb 15, 2016, at 3:06 AM, Stefan Winter <stefan.winter at restena.lu> wrote:
> this looks suspiciously like a bug to me. I updated from 3.0.10 to
> 3.0.11 with a perfectly working and unchanged configuration. In 3.0.11,
> all PEAP is broken with a slightly enigmatic error message which
> suggests my config may be sub-par; I can't really determine what should
> be wrong with it.

  I added more sanity checks to give startup errors instead of run-time errors.  This shouldn't cause issues for people with correct configurations.
> (484) eap: Calling submodule eap_mschapv2 to process data
> (484) eap_mschapv2: Auth-Type sub-section not found.  Ignoring.

  That's actually produced by the main modules code.  EAP-MSCHAPv2 is asking the modules code to run "Auth-Type MSCHAP", and the modules code is saying "nope, this virtual server doesn't have any MS-CHAP".

  You probably have an "inner-tunnel" virtual server where you've removed "mschap" from the "authenticate" section.

  The EAP-MSCHAPv2 module looks up the value for "Auth-Type MSCHAP" when it starts, and caches it.  But critically, that value is global.  There's no guarantee that the "Auth-Type MSCHAP" section exists in the virtual server which is using EAP-MSCHAPv2.

  Doing that extra validation at startup time would require some significant code changes.  The EAP-MSCHAPv2 module would have to get a list of all virtual servers where it's used, and then troll through those, looking for MSCHAP modules.

  Or, having the EAP-MSCHAPv2 do a dlopen() of the rlm_mschap module directly, and call it directly.  That might be weirder, but simpler.

  Alan DeKok.

More information about the Freeradius-Users mailing list