[RADIATOR] Can AuthBy FAILUREPOLICY used together with EAP?

[Heikki Vatiainen]

On 18.2.2020 15.57, Ralf Wenk wrote:

> I have tried several possible configurations, but the result is
> always the same. The EAP-Message attribute is missing and because of
> that the outer EAP handler does not catch the packet.

That's correct. The AuthBy does not yet know that EAP requires special 
handling.

> Do I miss/misunderstand something or can FAILUREPOLICY not used in EAP
> authentication (yet)?

I think the main reason is that it knows nothing about EAP. Using it 
with EAP-MSCHAP-V2 will also create an additional problem: with this 
method the server can not just tell the client that the request was 
accepted. It also has to prove that it knows the correct password (v2 
part in the method). To be more specific: it's reponse needs to be 
derived from the same password the client is attempting to use.

Currently the failurepolicy authby just acts if the reason is bad 
password and does not understand about EAP. Our plan is to make it more 
EAP aware. However, trying to accept a failed authentication can be 
problematic with protocols such as (EAP-)MSCHAP-V2. With EAP-TTLS/PAP, 
for example, this would be easier.

Thanks for letting us know how you'd like to use this AuthBy. While 
MSCHAPv2 is problematic, it's useful to know what other requirements 
there are apart from simple username/password authentication.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.