[RADIATOR] Unsupported EAP Response 26

michael.filz at zv-extern.fraunhofer.de michael.filz at zv-extern.fraunhofer.de
Thu Sep 12 07:15:06 UTC 2019

On Tue, 2019-09-10 at 19:31 +0300, Heikki Vatiainen wrote:
> On 10/09/2019 18.15, michael.filz at zv-extern.fraunhofer.de wrote:
> > <Handler TunnelledByPEAP=1,EAP-Message=/<REDACTED>/i>
> I recommend changing this to just: <Handler TunnelledByPEAP=1>
> Because PEAP can only carry EAP, the inner request is always built
> with 
> EAP-Message. Based on the log the redacted regexp did not match and
> it 
> fell back to the other Handler. While this allowed the final ack for
> EAP 
> 26 to happen, it is not allowed any longer.
> Thanks,
> Heikki

Thanks for your reply. I can confirm, that dropping the EAP-Message
prevents to message to be handled by the outer Handler. Unfortunately,
that doesn't exactly help matters.
I probably should have known better, but I redacted a bit too much.
There are actually two handlers (and AuthBy sections) for the inner
authentication that need to distinguish between different inner
identity formats. I basically have

<Handler TunnelledByPEAP=1,EAP-Message=/<PATTERN 1>/i>

<Handler TunnelledByPEAP=1,EAP-Message=/<PATTERN 2>/i>

I can omit the EAP-Message part, but then the first handler will be
used in all instances and authentication with the second pattern fails.
Any ideas?

Best wishes,

More information about the radiator mailing list