(RADIATOR) Fwd: EAPAnonymous - Different behaviour for EAP-TTLS and PEAP

Rogier Krieger rkrieger at gmail.com
Tue Apr 10 07:49:28 CDT 2007 

After trying several times, the list server appears to quietly refuse
the trace dumps I wanted to send along (~300 KB). Hence a try without
the dumps, with (temporary) links to them online.

http://www.iverdahl.net/pub/radiator-trace/


---------- Forwarded message ----------
From: Rogier Krieger <rkrieger at gmail.com>
Date: Apr 10, 2007 10:22 AM
Subject: EAPAnonymous - Different behaviour for EAP-TTLS and PEAP
To: Radiator list <radiator at open.com.au>


Dear list,

Now that both EAP-TTLS PEAP-MSCHAP-V2 are working for me, I felt it
was time to add a bit of breakage. I am trying to achieve the
following things:

+ Support for multiple realms for an EAP inner identity
        -> Regular users (@domain.tld) - from a central LDAP
        -> Visitors (@visitor.domain.tld) - from a simple database (to be built)
+ A single EAP outer identity: anonymous at domain.tld

I intend to do this using various <Handler> clauses that define
appropriate criteria (TunneledByTTLS=1) and realms
(Realm=visitor.domain.tld). I included my configuration with this
message. Reading the manual, I gather I should use the EAPAnonymous
parameter to achieve the above. I am using EAPAnonymous %0.


Expected issue:
When using the EAPAnonymous parameter (set to %0), I seem to get
different results dependent on whether the supplicant uses EAP-TTLS or
PEAP. TTLS works out of the box, but PEAP seems to handle the request
based on the *outer* EAP identity.


Testing:
I ran several scenarios, with varying outer and inner identities. I
included traces for both TTLS and PEAP. For an outer identity, I use
anonymous@$realm. On the inside, I authenticate with my test user
(test@$realm).

  Outer identity        Inner identity
1 iverdahl.net          iverdahl.net
2 iverdahl.net          visitor.iverdahl.net
3 visitor.iverdahl.net  iverdahl.net
4 visitor.iverdahl.net  visitor.iverdahl.net

In every case, I expect the final handler to correspond with the inner
identity realm. Unfortunately, my results are different:

  Expected              TTLS result     PEAP result
1 iverdahl.net          OK              OK
2 visitor.iverdahl.net  OK              FAIL (iverdahl.net)
3 iverdahl.net          OK              FAIL (visitor.iverdahl.net)
4 visitor.iverdahl.net  OK              OK

More information about the radiator mailing list