[RADIATOR] TTLS with inner MSCHAPv2 vs. inner EAP-MSCHAPv2
Heikki Vatiainen
hvn at open.com.au
Tue Jun 9 07:10:16 CDT 2015
On 9.6.2015 15.05, Christian Kratzer wrote:
> On Tue, 9 Jun 2015, Heikki Vatiainen wrote:
> <snipp/>
>> It should now return accept or reject, not a challenge. If it accepts,
>> it will tunnel MS-CHAP2-Success back to the client with the accept.
>
> this seems to lead to the problem in our setup.
>
> We have following structure in the inner handler with a cascaded a
> second AuthSQL after the authenticating sql for authorisation:
>
> <Handler TunnelledByTTLS=1>
> Identifier TunnelledByTTLS
> AuthByPolicy ContinueWhileAccept
> AuthBy SQLauthenticate
> AuthBy SQLauthorize ( uses NoEAP and NoCheckPassword )
> </Handler>
>
> In the EAP-MSCHAPv2 case radiator does not proceed to SQLauthorize when
> SQLauthenticate has produced a challenge:
How about adding a Handler for EAP:
<Handler TunnelledByTTLS=1, EAP-Message=/.+/>
# Policies etc. to work with EAP
</Handler>
<Handler TunnelledByTTLS=1>
# Policies to work with non-EAP requests
</Handler>
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list