> auth: type "EAP" > +- entering group authenticate > rlm_eap: Request found, released from the list > rlm_eap: EAP/mschapv2 > rlm_eap: processing type mschapv2 > +- entering group MS-CHAP > rlm_mschap: Told to do MS-CHAPv2 for user with NT-Password > rlm_mschap: adding MS-CHAPv2 MPPE keys > ++[mschap] returns ok > MSCHAP Success > ++[eap] returns handled > Sending Access-Challenge of id 3 to x.x.x.x port 1812 > MS-CHAP2-Success = > 0x01533d463936353246454443333542423338354535333743303338333739 > 41393735313330363134413336 > EAP-Message = > 0x010200331a0301002e533d46393635324645444333354242333835453533 > 374330333833373941393735313330363134413336 > Message-Authenticator = 0x00000000000000000000000000000000 > State = 0xabe2000baae01ac677bcdaf79192ae6c > Finished request 1.
That looks like a bug to me. It's a violation of RFC2548: 2.3.3. MS-CHAP2-Success Description This Attribute contains a 42-octet authenticator response string. This string MUST be included in the Message field of the MS-CHAP- V2 Success packet sent from the NAS to the peer. This Attribute is only used in Access-Accept packets. It might be worth checking the logic in the eap-mschap module; it should be pretty obvious to see where it is going wrong. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html