[RADIATOR] TTLS with inner MSCHAPv2 vs. inner EAP-MSCHAPv2

Christian Kratzer ck-lists at cksoft.de
Tue Jun 9 08:53:14 CDT 2015


On Tue, 9 Jun 2015, Heikki Vatiainen wrote:
> On 9.6.2015 15.18, Christian Kratzer wrote:
>> yes that would help separate the cases but I would still need to solve
>> the non eap case, i.E how to ignore SQLauthorize while SQLauthenticate
>> is challenging the client.  Would something like this work for plain
>> MSCHAPv2 ?
>>      ContinueUntilChallenge
>>      AuthBy        SQLauthenticate
>>      AuthBy        SQLauthorize ( uses NoEAP and NoCheckPassword )
> Hmm, going back to your earlier message, I'd say 'AuthByPolicy
> ContinueWhileAccept' should be good for both EAP and non-EAP case.
> With plain (non-EAP) MSCHAPv2, there is no need to challenge the client.
> When EAP authentication is done, it does use challenge, but non-EAP does
> not. Radiator can immediately respond with accept or reject.
> If the client does not want to continue in the non-EAP case, then it may
> not like the response Radiator sends. This could happen when, for
> example, the response Radiator calculates is incorrect.
> If you switch to EAP-TTLS/PAP for testing, it should work similarly with
> one request and immediate accept/reject from Radiator.

Good tip.  It seems that some attributes added by SQLauthorize are
interfering. We added an AllowInReplay clause to the handler for non eap
cases and it seems to be working as planned.

Still testing though.


Christian Kratzer                   CK Software GmbH
Email:   ck at cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/

More information about the radiator mailing list