[RADIATOR] Issue with TTLS-EAP-MSCHAPv2 and EAPAnonymous
Heikki Vatiainen
hvn at open.com.au
Fri May 3 12:40:25 CDT 2013
On 05/02/2013 10:52 PM, Johnson, Neil M wrote:
> I'm trying to get TTLS-EAP-MSCHAPv2 working.
>
> I've found that if I have EAPAnonymous set to %0, It does not work.
Hello Neil,
I agree EAPAnonymous %0 seems not to fetch the inner EAP Identity
correctly. I looked at the code and there's a difference between
EAP-TTLS vs. PEAP and EAP-FAST here.
> If I set EAPAnonymous to %{User-Name}, it works.
Note that this is the User-Name from the outer request. This may or may
not be the same as inner EAP Identity.
> The only difference I see is that the username is in the [] field is
> empty when EAPAnonymous %0 is set and is [wlantest02 at uiowa.edu] when
> EAPAnonymous is set to %{User-Name}.
The brackets [] mark the original User-Name before any rewrites and
other changes. With EAPAnonymous %0 the TTLS code currently sets the
inner request's User-Name to empty.
There is one difference with EAP-TTLS EAPAnonymous compared to other
tunneling EAPs. with one exception: if there already is a User-Name,
this User-Name is not modified. This happens with e.g., EAP-TTLS/PAP.
When you use EAPAnonymous %{User-Name} the inner User-Name gets its
value from the RADIUS message's (outer request) value.
> Is this expected behavior, or a bug ?
I think this is a bug. If can send you a fixed EAP_21.pm if you could
test it before it gets applied to the patches.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list