EAP-TTLS: Remove FreeRADIUS workaround for EAP-TTLS/MSCHAPv2
FreeRADIUS releases before 1.1.4 did not send MS-CHAP2-Success in EAP-TTLS/MSCHAPv2. A wpa_supplicant workaround for that was added in 2005 and it has been enabled by default to avoid interoperability issues. This could be disabled with all other EAP workarounds (eap_workaround=0). However, that will disable some workarounds that are still needed with number of authentication servers. Old FreeRADIUS versions should not be in use anymore, so it makes sense to remove this EAP-TTLS/MSCHAPv2 workaround completely to get more complete validation of server behavior. This allows MSCHAPv2 to verify that the server knows the password instead of relying only on the TLS certificate validation. Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
This commit is contained in:
parent
6d00ab0430
commit
870dfe9932
1 changed files with 0 additions and 10 deletions
|
@ -501,16 +501,6 @@ static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
|
|||
wpabuf_put(msg, pos - buf);
|
||||
*resp = msg;
|
||||
|
||||
if (sm->workaround) {
|
||||
/* At least FreeRADIUS seems to be terminating
|
||||
* EAP-TTLS/MSHCAPV2 without the expected MS-CHAP-v2 Success
|
||||
* packet. */
|
||||
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: EAP workaround - "
|
||||
"allow success without tunneled response");
|
||||
ret->methodState = METHOD_MAY_CONT;
|
||||
ret->decision = DECISION_COND_SUCC;
|
||||
}
|
||||
|
||||
return 0;
|
||||
#else /* EAP_MSCHAPv2 */
|
||||
wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build");
|
||||
|
|
Loading…
Reference in a new issue