Hi, On Tue, 9 Jun 2015, Heikki Vatiainen wrote: > On 9.6.2015 15.05, Christian Kratzer wrote: > >> On Tue, 9 Jun 2015, Heikki Vatiainen wrote: >> <snipp/> >>> It should now return accept or reject, not a challenge. If it accepts, >>> it will tunnel MS-CHAP2-Success back to the client with the accept. >> >> this seems to lead to the problem in our setup. >> >> We have following structure in the inner handler with a cascaded a >> second AuthSQL after the authenticating sql for authorisation: >> >> <Handler TunnelledByTTLS=1> >> Identifier TunnelledByTTLS >> AuthByPolicy ContinueWhileAccept >> AuthBy SQLauthenticate >> AuthBy SQLauthorize ( uses NoEAP and NoCheckPassword ) >> </Handler> >> >> In the EAP-MSCHAPv2 case radiator does not proceed to SQLauthorize when >> SQLauthenticate has produced a challenge: > > How about adding a Handler for EAP: > > <Handler TunnelledByTTLS=1, EAP-Message=/.+/> > # Policies etc. to work with EAP > </Handler> > > <Handler TunnelledByTTLS=1> > # Policies to work with non-EAP requests > </Handler>
yes that would help separate the cases but I would still need to solve the non eap case, i.E how to ignore SQLauthorize while SQLauthenticate is challenging the client. Would something like this work for plain MSCHAPv2 ? ContinueUntilChallenge AuthBy SQLauthenticate AuthBy SQLauthorize ( uses NoEAP and NoCheckPassword ) Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator