On 18.2.2020 15.57, Ralf Wenk wrote:
I have tried several possible configurations, but the result is always the same. The EAP-Message attribute is missing and because of that the outer EAP handler does not catch the packet.
That's correct. The AuthBy does not yet know that EAP requires special handling.
Do I miss/misunderstand something or can FAILUREPOLICY not used in EAP authentication (yet)?
I think the main reason is that it knows nothing about EAP. Using it with EAP-MSCHAP-V2 will also create an additional problem: with this method the server can not just tell the client that the request was accepted. It also has to prove that it knows the correct password (v2 part in the method). To be more specific: it's reponse needs to be derived from the same password the client is attempting to use.
Currently the failurepolicy authby just acts if the reason is bad password and does not understand about EAP. Our plan is to make it more EAP aware. However, trying to accept a failed authentication can be problematic with protocols such as (EAP-)MSCHAP-V2. With EAP-TTLS/PAP, for example, this would be easier.
Thanks for letting us know how you'd like to use this AuthBy. While MSCHAPv2 is problematic, it's useful to know what other requirements there are apart from simple username/password authentication.
Thanks, Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory, EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc. _______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
