[RADIATOR] TTLS with inner MSCHAPv2 vs. inner EAP-MSCHAPv2
Heikki Vatiainen
hvn at open.com.au
Tue Jun 9 07:48:50 CDT 2015
On 9.6.2015 15.18, Christian Kratzer wrote:
> yes that would help separate the cases but I would still need to solve
> the non eap case, i.E how to ignore SQLauthorize while SQLauthenticate
> is challenging the client. Would something like this work for plain
> MSCHAPv2 ?
>
> ContinueUntilChallenge
> AuthBy SQLauthenticate
> AuthBy SQLauthorize ( uses NoEAP and NoCheckPassword )
Hmm, going back to your earlier message, I'd say 'AuthByPolicy
ContinueWhileAccept' should be good for both EAP and non-EAP case.
With plain (non-EAP) MSCHAPv2, there is no need to challenge the client.
When EAP authentication is done, it does use challenge, but non-EAP does
not. Radiator can immediately respond with accept or reject.
If the client does not want to continue in the non-EAP case, then it may
not like the response Radiator sends. This could happen when, for
example, the response Radiator calculates is incorrect.
If you switch to EAP-TTLS/PAP for testing, it should work similarly with
one request and immediate accept/reject from Radiator.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list