Hello Christian, MSCHAPv2 is mutual authentication protocol where client requires response from server. If the server doesn't send correct response client will terminate connection. So server can not just decide to accept authentication like in PAP case. I think that it is not possible to build walled garden solution with that protocol.
If you use for example PEAP/GTC or EAP-TTLS/PAP you can use AuthBy GROUP to group sequences and use different policy inside them. for example like this: <Handler TunnelledByPEAP=1> Identifier TunnelledByPEAP=1 AuthByPolicy ContinueWhileAccept <AuthBy GROUP> AuthByPolicy ContinueWhileReject AuthBy SQLauthenticate <AuthBy INTERNAL> AuthHook sub {my $p = $_[0];\ $p->add_attr('X-OSC-Auth-Status', 'Rejected');\ return $main::ACCEPT} </AuthBy> </AuthBy> AuthBy INTERNALextractFunnyStuffFromRequest AuthBy SQLauthorize </Handler> In this example the inner AuthBy INTERNAL will change reject to accept and mark it with vendor specific attribute that you can use in later INTERNAL to determine if authentication was successful or not. Best Regards, Sami On 02/24/2015 01:12 PM, Christian Kratzer wrote: > Hi Sami, > > We made progress with our setup thanks to your previous tips. > > We now have following setup simplyfied a bit: > > <Handler TunnelledByPEAP=1> > Identifier TunnelledByPEAP=1 > AuthByPolicy ContinueWhileAccept > AuthBy SQLauthenticate > AuthBy INTERNALextractFunnyStuffFromRequest > AuthBy SQLauthorize > </Handler> > > <Handler> > Identifier Outer > AuthBy FILE > </Handler> > > the issue we are currently chasing is that the customer also wants > failed authentications to proceed into SQLauthorize so he can possible > put people into a walled garden with specific reply attributes. > > The issue seems to be that when MS-CHAP2 fails in TunneledByPeap it > seems to kill the EAP session and authentication terminates. > > Subsequent packets are not forwarded to the tunneled handler by the > outer handler. > > Do you have a suggestion how to accomplish authorization after failed > chap authentication. > > Terveisin > Christian > -- Sami Keski-Kasari <sam...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator