Re: [RADIATOR] random EAP authentication errors since 4.17

Thu, 15 Dec 2016 04:46:28 -0800 

On 15.12.2016 14.04, Hartmaier Alexander wrote:


If you get context from $p, it does not matter if, for example,
EAP_UseState was enabled or note. It's easier and more reliable to get
it from $p.

I've removed EAP_UseState from our config since everything works as
before. Can the nested auth of PEAP-TLS cause this in conjunction with
the state ID generation?



I'd say in your case the call to get EAP worked fine because it simply 
returned the context that was retrieved earlier. In other words, it did 
the same as getting the context with $p->{EAPContext}.



Our PostAuthHook already has this at the very top since the beginning.
Is this the correct way to check?

my $p      = ${$_[0]};
my $rp     = ${$_[1]};
my $result = $_[2];
my $reason = $_[3];

return
        unless $$result == $main::ACCEPT;



Yes. This looks fine. The reason you are given a reference to result is 
that you can also change it in case you need to modify the result with 
your hook.



Yes, but it only points to EAP.pm which didn't change much since 4.16.
How should they be persisted after writing to $context?



I hope this is clarified below. Now when I look at the notes, I can see 
that a mentioned of eap_save_resume_context and 
eap_recover_resume_context could have been included.



So basically write to and read from
$context->{eap_resume_context}->{foo} instead of $context->{foo}?
As this doesn't use an accessor method I'd like it at least documented
somewhere so we can be sure it doesn't break without notice on one of
the next updates.



Yes, that's correct. eap_resume_context points to the context that is 
saved across resumed sessions. You are correct that there are no 
accessors yet. These would be among the helpers for hooks that I wrote 
about earlier.


--
Heikki Vatiainen <h...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,

DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.

_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator


























					Reply via email to