Hi, since no one answers I'll answer myself :-)
> in my setup I use TTLS-PAP to authenticate users (which works perfectly). > Now I have setup a test user to enable some keepalive checking for the > server. I use MySQL as backend and have put a Reply-Message attribute in > radreply. It gets picked up alright in the tunneled user check and I have > set > "use_tunneled_reply" in eap.conf. So I'd expect to see that Reply-Message > gets copied to the outside request upon returning the request. But this > doesn't happen. [snip...] > Shouldn't the Reply-Message be copied to the outside when > "use_tunneled_reply" is on? I found that the behaviour is as expected (Reply-Message gets copied) when the user is authenticated, i.e. in Access-Accept messages. Out of curiosity, I looked into the source code in ttls.c and discovered that the copying is actually only done when the authentication is successful. Are there any security reasons for this? If not, a consistent behaviour would be preferable and I'd consider the current situation being a bug in either a) just the documentation: the comments in eap.conf should clearly state that use_tunneled_reply only copies the attributes _upon success_ or b) in the source, because it leads to an inconsistent behaviour when it shouldn't. I'd be happy to provide a (trivial) patch to this problem in the case of b). Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - R�seau T�l�informatique de l'Education Nationale et de la Recherche Ing�nieur r�seau et syst�me 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] � � t�l.: � � �+352 424409-33 http://www.restena.lu � � � � � � � � � � fax: � � �+352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
