On 05/02/2013 10:52 PM, Johnson, Neil M wrote:
> I'm trying to get TTLS-EAP-MSCHAPv2 working.
>
> I've found that if I have EAPAnonymous set to %0, It does not work.
Hello Neil,
I agree EAPAnonymous %0 seems not to fetch the inner EAP Identity
correctly. I looked at the code and there's a difference between
EAP-TTLS vs. PEAP and EAP-FAST here.
> If I set EAPAnonymous to %{User-Name}, it works.
Note that this is the User-Name from the outer request. This may or may
not be the same as inner EAP Identity.
> The only difference I see is that the username is in the [] field is
> empty when EAPAnonymous %0 is set and is [[email protected]] when
> EAPAnonymous is set to %{User-Name}.
The brackets [] mark the original User-Name before any rewrites and
other changes. With EAPAnonymous %0 the TTLS code currently sets the
inner request's User-Name to empty.
There is one difference with EAP-TTLS EAPAnonymous compared to other
tunneling EAPs. with one exception: if there already is a User-Name,
this User-Name is not modified. This happens with e.g., EAP-TTLS/PAP.
When you use EAPAnonymous %{User-Name} the inner User-Name gets its
value from the RADIUS message's (outer request) value.
> Is this expected behavior, or a bug ?
I think this is a bug. If can send you a fixed EAP_21.pm if you could
test it before it gets applied to the patches.
Thanks,
Heikki
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
