[RADIATOR] TTLS with inner MSCHAPv2 vs. inner EAP-MSCHAPv2
Christian Kratzer
ck-lists at cksoft.de
Tue Jun 9 07:18:29 CDT 2015
Hi,
On Tue, 9 Jun 2015, Heikki Vatiainen wrote:
> On 9.6.2015 15.05, Christian Kratzer wrote:
>
>> On Tue, 9 Jun 2015, Heikki Vatiainen wrote:
>> <snipp/>
>>> It should now return accept or reject, not a challenge. If it accepts,
>>> it will tunnel MS-CHAP2-Success back to the client with the accept.
>>
>> this seems to lead to the problem in our setup.
>>
>> We have following structure in the inner handler with a cascaded a
>> second AuthSQL after the authenticating sql for authorisation:
>>
>> <Handler TunnelledByTTLS=1>
>> Identifier TunnelledByTTLS
>> AuthByPolicy ContinueWhileAccept
>> AuthBy SQLauthenticate
>> AuthBy SQLauthorize ( uses NoEAP and NoCheckPassword )
>> </Handler>
>>
>> In the EAP-MSCHAPv2 case radiator does not proceed to SQLauthorize when
>> SQLauthenticate has produced a challenge:
>
> How about adding a Handler for EAP:
>
> <Handler TunnelledByTTLS=1, EAP-Message=/.+/>
> # Policies etc. to work with EAP
> </Handler>
>
> <Handler TunnelledByTTLS=1>
> # Policies to work with non-EAP requests
> </Handler>
yes that would help separate the cases but I would still need to solve the non eap case, i.E how to ignore SQLauthorize while SQLauthenticate is challenging the client. Would something like this work for plain MSCHAPv2 ?
ContinueUntilChallenge
AuthBy SQLauthenticate
AuthBy SQLauthorize ( uses NoEAP and NoCheckPassword )
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck at cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
More information about the radiator
mailing list