[RADIATOR] TTLS with inner MSCHAPv2 vs. inner EAP-MSCHAPv2
Christian Kratzer
ck-lists at cksoft.de
Tue Jun 9 08:53:14 CDT 2015
Hi,
On Tue, 9 Jun 2015, Heikki Vatiainen wrote:
> On 9.6.2015 15.18, Christian Kratzer wrote:
>
>> yes that would help separate the cases but I would still need to solve
>> the non eap case, i.E how to ignore SQLauthorize while SQLauthenticate
>> is challenging the client. Would something like this work for plain
>> MSCHAPv2 ?
>>
>> ContinueUntilChallenge
>> AuthBy SQLauthenticate
>> AuthBy SQLauthorize ( uses NoEAP and NoCheckPassword )
>
> Hmm, going back to your earlier message, I'd say 'AuthByPolicy
> ContinueWhileAccept' should be good for both EAP and non-EAP case.
>
> With plain (non-EAP) MSCHAPv2, there is no need to challenge the client.
> When EAP authentication is done, it does use challenge, but non-EAP does
> not. Radiator can immediately respond with accept or reject.
>
> If the client does not want to continue in the non-EAP case, then it may
> not like the response Radiator sends. This could happen when, for
> example, the response Radiator calculates is incorrect.
>
> If you switch to EAP-TTLS/PAP for testing, it should work similarly with
> one request and immediate accept/reject from Radiator.
Good tip. It seems that some attributes added by SQLauthorize are
interfering. We added an AllowInReplay clause to the handler for non eap
cases and it seems to be working as planned.
Still testing though.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck at cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
More information about the radiator
mailing list