On Tue, 2019-09-10 at 19:31 +0300, Heikki Vatiainen wrote: > On 10/09/2019 18.15, [email protected] wrote: > > > <Handler TunnelledByPEAP=1,EAP-Message=/<REDACTED>/i> > > I recommend changing this to just: <Handler TunnelledByPEAP=1> > > Because PEAP can only carry EAP, the inner request is always built > with > EAP-Message. Based on the log the redacted regexp did not match and > it > fell back to the other Handler. While this allowed the final ack for > EAP > 26 to happen, it is not allowed any longer. > > Thanks, > Heikki
Thanks for your reply. I can confirm, that dropping the EAP-Message prevents to message to be handled by the outer Handler. Unfortunately, that doesn't exactly help matters. I probably should have known better, but I redacted a bit too much. There are actually two handlers (and AuthBy sections) for the inner authentication that need to distinguish between different inner identity formats. I basically have <Handler TunnelledByPEAP=1,EAP-Message=/<PATTERN 1>/i> ... <Handler TunnelledByPEAP=1,EAP-Message=/<PATTERN 2>/i> ... I can omit the EAP-Message part, but then the first handler will be used in all instances and authentication with the second pattern fails. Any ideas? Best wishes, Michael _______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
