3.0.11 update broke my PEAP

Stefan Winter stefan.winter at restena.lu
Wed Feb 17 09:25:17 CET 2016


>   You probably have an "inner-tunnel" virtual server where you've removed "mschap" from the "authenticate" section.

I Don't. My authenticate{} in inner-tunnel is:

authenticate {
        Auth-Type PAP{
        Auth-Type MS-CHAP{

mschap_hash_debugfallback is a policy doing weird things, but one of
those things is that it calls "mschap" just like the default shipped
inner-tunnel does.


Stefan Winter

>   The EAP-MSCHAPv2 module looks up the value for "Auth-Type MSCHAP" when it starts, and caches it.  But critically, that value is global.  There's no guarantee that the "Auth-Type MSCHAP" section exists in the virtual server which is using EAP-MSCHAPv2.
>   Doing that extra validation at startup time would require some significant code changes.  The EAP-MSCHAPv2 module would have to get a list of all virtual servers where it's used, and then troll through those, looking for MSCHAP modules.
>   Or, having the EAP-MSCHAPv2 do a dlopen() of the rlm_mschap module directly, and call it directly.  That might be weirder, but simpler.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160217/7ab4c3c6/attachment-0001.sig>

More information about the Freeradius-Users mailing list