/
Nitin Bhardwaj wrote:
> Hi,
Please edit your posts. It's not nice to go through hundreds of lines
of garbage in order to read the *real* content of the message.
/Alan,
I posted the output of "radiusd -X" in the previous message as is the
norm on the mailing-list, and replied to the same in last message.
That is not a *garbage*, isn't it ?
/
> Found out that this works perfectly fine in freeradius 3.0.0 (master git
> branch).
That's nice to know.
> Can anyone please suggest which patches I need to back-port to 2.1.11 to
> make this work in 2.1.x branch too ?
You can't. The code is *completely* different.
Alan DeKok.
/In 2.1.11, I observed that the problem happens when you set
"proxy_tunneled_request_as_eap = no" (with "default_eap_type = mschapv2").
Hence it seems the function mschap_postproxy() in rlm_eap_mschapv2.c is
somehow wiping off the extra attributes.
Comparing radiusd -X logs of 2.x with 3.x, corroborate this observation:
-------------------------< snip-log 2.x >-------------------------------
# Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
[eap] Passing reply from proxy back into the tunnel.
server proxy-inner-tunnel {
[eap] Passing reply back for EAP-MS-CHAP-V2
# Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
rlm_eap_mschapv2: Passing reply from proxy back into the tunnel
0x8e86e20 2.
rlm_eap_mschapv2: Authentication succeeded.
MSCHAP Success
++[eap] returns ok
WARNING: Empty post-auth section. Using default return values.
} # server proxy-inner-tunnel
-------------------------< snip-end >-------------------------------
-------------------------< snip-log 3.x >---------------------------
(8) # Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/default
(8) group post-proxy {
(8) - entering group post-proxy {...}
(8) eap : Doing post-proxy callback
(8) eap : Passing reply from proxy back into the tunnel.
server proxy-inner-tunnel {
(8) eap : Passing reply back for EAP-MS-CHAP-V2
(8) # Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
(8) group post-proxy {
(8) - entering group post-proxy {...}
(8) [eap] = noop
(8) WARNING: Empty post-auth section. Using default return values.
} # server proxy-inner-tunnel
-------------------------< snip-end >-------------------------------
In 3.x code, We are returning a RLM_MODULE_NOOP from eap_post_proxy() :
582 /*
583 * Just in case the admin lists EAP in post-proxy-type Fail.
584 */
585 if (!request->proxy_reply) return RLM_MODULE_NOOP;
But we are not doing so in 2.1.11 code. We call the MSCHAPv2 callback,
i.e. mschap_postproxy(),
which might be wiping off the attributes.
So, my question is: will adding this code patch to 2.x code prudent to
make it work ? Or we need to fix the
mschapv2 handler itself : mschap_postproxy() in rlm_eap_mschapv2.c,so
that it retains the extra attributes
sent by the RADIUS home server ?
Please advise.
--
Thanks,
Nitin.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
