rlm_rest learnings - PAP and PEAP/MSCHAPv2

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Jan 22 23:42:09 CET 2020

> Issues:
> When doing PEAP/MSCHAPv2, the authorize REST API gets called twice in the inner-tunnel, for two different EAP messages.
> Wastes a few milliseconds, but only a minor issue.

Add NT-Password to the session-state: list.  Only call the rest module if session-state:NT-Password isn't set, otherwise copy session-state:NT-Password to the control list.
> Using 
>  radtest -t mschap valid-user at domain invalid_password 0 radius_secret
> replied with
>  MS-CHAP-Error = "\000E=691 R=1 C=ad8367a70f809d72 V=2"
> My reading of the MS-CHAP-V2 RFC2759 and PPP CHAP RFC1994 is that this should have been
>  MS-CHAP-Error = "E=691 R=1 C=ad8367a70f809d72 V=2"

Hm, feel free to track it down and submit a PR :)

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

More information about the Freeradius-Users mailing list