[RADIATOR] EAPContext inner_identity
Heikki Vatiainen
hvn at open.com.au
Wed Oct 2 10:21:47 CDT 2013
On 10/01/2013 03:21 AM, David Zych wrote:
> However, EAP_25 (PEAP) only sets $context->{inner_identity} in
> replyFn after the inner authentication succeeds. In order for it to
> be available in case of reject, I'm experimenting with using a second
> PostAuthHook on the inner handler to _set_
> {outerRequest}->{EAPContext}->{inner_identity}. This seems to work
> in my testing so far, but I'm worried that it might have unintended
> consequences.
It appears existence of {inner_identity} is considered also when
deciding if the client should be allowed to do PEAP fast reconnect.
> I was wondering: is there an important reason that EAP_25 does *not*
> set $context->{inner_identity} as soon as the identity is available
> (or at least also in the reject case of replyFn)?
inner_identity can be set earlier too but in this case EAP_25 should
also set something like {inner_auth_success} EAP_21 does and use that
with fast reconnect check.
> If yes, there's something going on that I don't understand, in which
> case setting it myself via PostAuthHook could cause problems and I
> should consider altering my plan. If no, then my plan is sound, but
> setting it in EAP_25 would be even better and save me a PostAuthHook.
> :)
I think the plan could be to introduce {inner_auth_success} and leave
{inner_identity} just for logging and other such purposes.
Would you be interested in testing this?
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list