On Thu, 2019-09-12 at 13:38 +0300, Heikki Vatiainen wrote: > On 12/09/2019 10.15, [email protected] wrote: > > > I probably should have known better, but I redacted a bit too much. > > There are actually two handlers (and AuthBy sections) for the inner > > authentication that need to distinguish between different inner > > identity formats. I basically have > > > > <Handler TunnelledByPEAP=1,EAP-Message=/<PATTERN 1>/i> > > ... > > > > <Handler TunnelledByPEAP=1,EAP-Message=/<PATTERN 2>/i> > > ... > > > > I can omit the EAP-Message part, but then the first handler will be > > used in all instances and authentication with the second pattern > > fails. > > Any ideas? > > Do you think you could add an attribute in the inner request to make > inner TunnelledByPEAP handler selection easier? In other words, not > to > rely on EAP-Message contents but something that you set, for > example, > with PreHandlerHook within the outer Handler's AuthBy that has PEAP > configured as an EAPType.
In theory yes, but after several ours of browsing both the documentation, web and some of the sources I still can't figure out how to access the inner request's user name (which I need to distinguish the handlers). Can that even be done? > In your other message with comparison between 4.18 and 4.23, they > both > show that the final EAP-MSCHAP-V2 message (type 26) is processed by > outer Handler that has only EAPType PEAP configured. > > Your configuration is not typical because it does delivers EAP > messages > belonging to the same EAP authentication exchange to different > Handlers. > With 4.18 the final handshake was allowed to finish because EAP 26 > had > already started. With 4.23 each AuthBy only processes EAP messages > for > the types it's EAPType lists. This is normally not a problem because > EAP > for a certain type is always handled by the same AuthBy. With a > configuration like you have, EAP starts with type 26 enabled AuthBy > but > then gets switched to an AuthBY that does only type 25 (PEAP). Thanks for the explaination. Greetings, Michael _______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
