Hi,
On Tue, 9 Jun 2015, Heikki Vatiainen wrote:
> On 9.6.2015 15.05, Christian Kratzer wrote:
>
>> On Tue, 9 Jun 2015, Heikki Vatiainen wrote:
>> <snipp/>
>>> It should now return accept or reject, not a challenge. If it accepts,
>>> it will tunnel MS-CHAP2-Success back to the client with the accept.
>>
>> this seems to lead to the problem in our setup.
>>
>> We have following structure in the inner handler with a cascaded a
>> second AuthSQL after the authenticating sql for authorisation:
>>
>> <Handler TunnelledByTTLS=1>
>> Identifier TunnelledByTTLS
>> AuthByPolicy ContinueWhileAccept
>> AuthBy SQLauthenticate
>> AuthBy SQLauthorize ( uses NoEAP and NoCheckPassword )
>> </Handler>
>>
>> In the EAP-MSCHAPv2 case radiator does not proceed to SQLauthorize when
>> SQLauthenticate has produced a challenge:
>
> How about adding a Handler for EAP:
>
> <Handler TunnelledByTTLS=1, EAP-Message=/.+/>
> # Policies etc. to work with EAP
> </Handler>
>
> <Handler TunnelledByTTLS=1>
> # Policies to work with non-EAP requests
> </Handler>
yes that would help separate the cases but I would still need to solve the non
eap case, i.E how to ignore SQLauthorize while SQLauthenticate is challenging
the client. Would something like this work for plain MSCHAPv2 ?
ContinueUntilChallenge
AuthBy SQLauthenticate
AuthBy SQLauthorize ( uses NoEAP and NoCheckPassword )
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: [email protected] Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
