(RADIATOR) Fwd: EAPAnonymous - Different behaviour for EAP-TTLS and PEAP

[Rogier Krieger]

Hello Hugh,

On 4/12/07, Hugh Irvine <hugh at open.com.au> wrote:
> Could you please provide a bit more detail about the tests you have
> tried and the expected outcomes versus the actual outcomes?

The tests are rather simple, really. I would like to handle requests
with different EAP *inner* identities by different <Handler> clauses
and at the same time support both TTLS and PEAP. Hence the four
handlers: TunneledBy(TTLS|PEAP)=1, Realm=[visitor.]iverdahl.net

Two EAP types, each one for two realms, equals four <Handler> clauses.


Expectations:
By setting EAPAnonymous %0, I expect the inner request (that I believe
should be handled by the TunneledBy(TTLS|PEAP) condition) to match on
the second condition (Realm=) as well. For TTLS, that seems to be the
case (even when I'm not using EAPAnonymous %0). I would like for PEAP
to work similarly.


Test setup:
The reason for 8 dumps is that I test both TTLS and PEAP, and for each
of those, vary both the outer and inner identities to see how Radiator
handles those authentication requests. In every case, I expect
Radiator to select a handler based on the Realm of the EAP inner
identity. When the outer and inner identities differ, this is meant as
a check: Radiator should choose a handler based on the inner EAP
identity.


Test results:
For TTLS, Radiator seems to do this. For PEAP, however, Radiator seems
to select a handler based upon the EAP outer identity, even though the
manual leads me to believe EAPAnonymous %0 should use the EAP inner
identity for the request.


Does the above clarify things?

Cheers,

Rogier

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.