On 16/01/2020 8.12, Matti Saarinen wrote:
It appears, that in our case the MSCHAPv2 part didn't have any EAP headers. So, instead I used MS-CHAP-Challenge=/.+/. That worked.
It's likely MSCHAP or MSCHAPv2 in this case, but not EAP. EAP-TTLS supports PAP, CHAP, MSCHAP, MSCHAPv2 and EAP. EAP, in turn, often is EAP-MSCHAP-V2. See section 11 for more: https://tools.ietf.org/html/rfc5281
In other words, MSCHAPv2 can arrive as "plain" or enacpasulated with EAP-MSCHAPv2. However, they are separate and tunnelled messages use, and are unpacked to, different attribute combinations for all supported protocols.
If the request is one of non-EAP MSCHAPs, then you can catch that like above or with ExistsInRequest=MS-CHAP-Challenge.
For some reason, I haven't managed to get TTLS+EAP-MSHCAPv2 working so far . I've yet to debug this further. Luckily, very small part (if any) of our users use that combination
We can also take a look at the logs when needed. Thanks, Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory, EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc. _______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
