The usual apologies if this has been dealt with before, or is just plain silly.
Something has always bothered me about the way passwords are handled for EAP-MD5 users.
An entry for an EAP user can look like this (say):
"joe" Auth-Type := eap, User-Password == "hello"
Session-Timeout = 300(side note: is the Auth-Type := eap part really necessary? I would expect not since the eap module apparently adds the Auth-Type attribute to the config list regardless of what's included in the user entry)
The users file man page says this about the == operator (applied to the User-Password attribute above):
"Attribute == Value" As a check item, it matches if the named attribute is present in the request, AND has the given value. Not allowed as a reply item.
And RFC 2269 says :
[Note 1] An Access-Request that contains either a User-Password or CHAP-Password or ARAP-Password or one or more EAP-Message attributes MUST NOT contain more than one type of those four attributes.
I take this to mean that the EAP-Message attribute and User-Password attribute are mutually exclusive, i.e. you can never have a User-Password attribute in a request if it has an EAP-Message attribute.
The above user profile does indeed work on 0.8.1 for EAP-MD5. But it shouldn't work, as far as I can see, since we have a check item (User-Password) which does not technically match any attribute in the request (User-Password isn't even present, since the request contains an EAP-Message). The request should not make it past the authorization stage. Any comments?
Thanks in advance!
Desmond
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
