[RADIATOR] random EAP authentication errors since 4.17

Heikki Vatiainen hvn at open.com.au
Thu Dec 15 12:46:08 UTC 2016


On 15.12.2016 14.04, Hartmaier Alexander wrote:

>> If you get context from $p, it does not matter if, for example,
>> EAP_UseState was enabled or note. It's easier and more reliable to get
>> it from $p.
> I've removed EAP_UseState from our config since everything works as
> before. Can the nested auth of PEAP-TLS cause this in conjunction with
> the state ID generation?

I'd say in your case the call to get EAP worked fine because it simply 
returned the context that was retrieved earlier. In other words, it did 
the same as getting the context with $p->{EAPContext}.

> Our PostAuthHook already has this at the very top since the beginning.
> Is this the correct way to check?
>
> my $p      = ${$_[0]};
> my $rp     = ${$_[1]};
> my $result = $_[2];
> my $reason = $_[3];
>
> return
>         unless $$result == $main::ACCEPT;

Yes. This looks fine. The reason you are given a reference to result is 
that you can also change it in case you need to modify the result with 
your hook.

> Yes, but it only points to EAP.pm which didn't change much since 4.16.
> How should they be persisted after writing to $context?

I hope this is clarified below. Now when I look at the notes, I can see 
that a mentioned of eap_save_resume_context and 
eap_recover_resume_context could have been included.

> So basically write to and read from
> $context->{eap_resume_context}->{foo} instead of $context->{foo}?
> As this doesn't use an accessor method I'd like it at least documented
> somewhere so we can be sure it doesn't break without notice on one of
> the next updates.

Yes, that's correct. eap_resume_context points to the context that is 
saved across resumed sessions. You are correct that there are no 
accessors yet. These would be among the helpers for hooks that I wrote 
about earlier.

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.


More information about the radiator mailing list