Sam Schultz wrote: > I was just wondering if the bug from this post has been fixed since 1.1.6:
No. It looks like the fix to make tunneled & proxied MS-CHAP work broke this. i.e. a "pairmove" was turned into a "pairadd". See src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c: ... /* * If we've been told to use the attributes from * the reply, then do so. * * WARNING: This may leak information about the * tunneled user! */ if (t->use_tunneled_reply) { pairdelete(&reply->vps, PW_PROXY_STATE); pairadd(&request->reply->vps, reply->vps); reply->vps = NULL; } ... change the "pairadd" to a "pairmove", and also in rlm_eap_ttls.c: case EAPTLS_SUCCESS: if (t->authenticated) { if (t->reply) { pairadd(&handler->request->reply->vps, t->reply); t->reply = NULL; } ... Change this one, too. If it works, I'll commit a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html