[RADIATOR] TTLS and AuthbyLSA

Heikki Vatiainen hvn at open.com.au
Mon Jan 10 13:09:08 CST 2011


On 01/10/2011 05:48 PM, Johnson, Neil M wrote:

> TTLS-MSCHAPv2 works.

Great!

> I was confused. I thought ttls-eap-mscahpv2 was ttls-mschapv2.

Well, I did not notice this either until I checked wpa_supplicant doc
and took a peek at the code. Only then I realised that EAP is not
necessary and plain MSCHAPv2 over TTLS tunnel works too and that is the
common case.

> Still, it be nice to know why the inner identity is being found.

I think what I wrote about checking both EAP Identity and User-Name
attribute might be useful if someone, for some reason, wants to use
EAP-Someting over TTLS tunnel. But I guess it is quite infrequent. TTLS
RFC states that CHAP, MSCHAP and MSCHAPv2 must include User-Name but
there is no such requirement for EAP.

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list