[RADIATOR] EAP-TTLS: How to forward inner requests to different backends depending on the inner authentication?
hvn at open.com.au
Thu Jan 16 18:26:37 UTC 2020
On 16/01/2020 8.12, Matti Saarinen wrote:
> It appears, that in our case the MSCHAPv2 part didn't have any EAP
> headers. So, instead I used MS-CHAP-Challenge=/.+/. That worked.
It's likely MSCHAP or MSCHAPv2 in this case, but not EAP. EAP-TTLS
supports PAP, CHAP, MSCHAP, MSCHAPv2 and EAP. EAP, in turn, often is
EAP-MSCHAP-V2. See section 11 for more: https://tools.ietf.org/html/rfc5281
In other words, MSCHAPv2 can arrive as "plain" or enacpasulated with
EAP-MSCHAPv2. However, they are separate and tunnelled messages use, and
are unpacked to, different attribute combinations for all supported
If the request is one of non-EAP MSCHAPs, then you can catch that like
above or with ExistsInRequest=MS-CHAP-Challenge.
> For some reason, I haven't managed to get TTLS+EAP-MSHCAPv2 working so
> far . I've yet to debug this further. Luckily, very small part (if any)
> of our users use that combination
We can also take a look at the logs when needed.
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator