[RADIATOR] TTLS with inner MSCHAPv2 vs. inner EAP-MSCHAPv2

Heikki Vatiainen hvn at open.com.au
Tue Jun 9 07:48:50 CDT 2015


On 9.6.2015 15.18, Christian Kratzer wrote:

> yes that would help separate the cases but I would still need to solve
> the non eap case, i.E how to ignore SQLauthorize while SQLauthenticate
> is challenging the client.  Would something like this work for plain
> MSCHAPv2 ?
>
>      ContinueUntilChallenge
>      AuthBy        SQLauthenticate
>      AuthBy        SQLauthorize ( uses NoEAP and NoCheckPassword )

Hmm, going back to your earlier message, I'd say 'AuthByPolicy 
ContinueWhileAccept' should be good for both EAP and non-EAP case.

With plain (non-EAP) MSCHAPv2, there is no need to challenge the client. 
When EAP authentication is done, it does use challenge, but non-EAP does 
not. Radiator can immediately respond with accept or reject.

If the client does not want to continue in the non-EAP case, then it may 
not like the response Radiator sends. This could happen when, for 
example, the response Radiator calculates is incorrect.

If you switch to EAP-TTLS/PAP for testing, it should work similarly with 
one request and immediate accept/reject from Radiator.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.


More information about the radiator mailing list