[RADIATOR] EAPContext inner_identity

[Heikki Vatiainen]

On 10/01/2013 03:21 AM, David Zych wrote:

> However, EAP_25 (PEAP) only sets $context->{inner_identity} in
> replyFn after the inner authentication succeeds.  In order for it to
> be available in case of reject, I'm experimenting with using a second
> PostAuthHook on the inner handler to _set_
> {outerRequest}->{EAPContext}->{inner_identity}.  This seems to work
> in my testing so far, but I'm worried that it might have unintended
> consequences.

It appears existence of {inner_identity} is considered also when
deciding if the client should be allowed to do PEAP fast reconnect.

> I was wondering: is there an important reason that EAP_25 does *not*
> set $context->{inner_identity} as soon as the identity is available
> (or at least also in the reject case of replyFn)?

inner_identity can be set earlier too but in this case EAP_25 should
also set something like {inner_auth_success} EAP_21 does and use that
with fast reconnect check.

> If yes, there's something going on that I don't understand, in which
> case setting it myself via PostAuthHook could cause problems and I
> should consider altering my plan.  If no, then my plan is sound, but
> setting it in EAP_25 would be even better and save me a PostAuthHook.
> :)

I think the plan could be to introduce {inner_auth_success} and leave
{inner_identity} just for logging and other such purposes.

Would you be interested in testing this?

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.