On 10/01/2013 03:21 AM, David Zych wrote:
> However, EAP_25 (PEAP) only sets $context->{inner_identity} in
> replyFn after the inner authentication succeeds. In order for it to
> be available in case of reject, I'm experimenting with using a second
> PostAuthHook on the inner handler to _set_
> {outerRequest}->{EAPContext}->{inner_identity}. This seems to work
> in my testing so far, but I'm worried that it might have unintended
> consequences.
It appears existence of {inner_identity} is considered also when
deciding if the client should be allowed to do PEAP fast reconnect.
> I was wondering: is there an important reason that EAP_25 does *not*
> set $context->{inner_identity} as soon as the identity is available
> (or at least also in the reject case of replyFn)?
inner_identity can be set earlier too but in this case EAP_25 should
also set something like {inner_auth_success} EAP_21 does and use that
with fast reconnect check.
> If yes, there's something going on that I don't understand, in which
> case setting it myself via PostAuthHook could cause problems and I
> should consider altering my plan. If no, then my plan is sound, but
> setting it in EAP_25 would be even better and save me a PostAuthHook.
> :)
I think the plan could be to introduce {inner_auth_success} and leave
{inner_identity} just for logging and other such purposes.
Would you be interested in testing this?
Thanks,
Heikki
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
