[RADIATOR] Can AuthBy FAILUREPOLICY used together with EAP?
Heikki Vatiainen
hvn at open.com.au
Thu Feb 20 13:29:26 UTC 2020
On 18.2.2020 15.57, Ralf Wenk wrote:
> I have tried several possible configurations, but the result is
> always the same. The EAP-Message attribute is missing and because of
> that the outer EAP handler does not catch the packet.
That's correct. The AuthBy does not yet know that EAP requires special
handling.
> Do I miss/misunderstand something or can FAILUREPOLICY not used in EAP
> authentication (yet)?
I think the main reason is that it knows nothing about EAP. Using it
with EAP-MSCHAP-V2 will also create an additional problem: with this
method the server can not just tell the client that the request was
accepted. It also has to prove that it knows the correct password (v2
part in the method). To be more specific: it's reponse needs to be
derived from the same password the client is attempting to use.
Currently the failurepolicy authby just acts if the reason is bad
password and does not understand about EAP. Our plan is to make it more
EAP aware. However, trying to accept a failed authentication can be
problematic with protocols such as (EAP-)MSCHAP-V2. With EAP-TTLS/PAP,
for example, this would be easier.
Thanks for letting us know how you'd like to use this AuthBy. While
MSCHAPv2 is problematic, it's useful to know what other requirements
there are apart from simple username/password authentication.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator
mailing list