From 870dfe99329e999a3684fd673ebf362bb9c3d7f8 Mon Sep 17 00:00:00 2001 From: Dmitry Shmidt Date: Wed, 16 Jul 2014 11:01:26 -0700 Subject: [PATCH] EAP-TTLS: Remove FreeRADIUS workaround for EAP-TTLS/MSCHAPv2 FreeRADIUS releases before 1.1.4 did not send MS-CHAP2-Success in EAP-TTLS/MSCHAPv2. A wpa_supplicant workaround for that was added in 2005 and it has been enabled by default to avoid interoperability issues. This could be disabled with all other EAP workarounds (eap_workaround=0). However, that will disable some workarounds that are still needed with number of authentication servers. Old FreeRADIUS versions should not be in use anymore, so it makes sense to remove this EAP-TTLS/MSCHAPv2 workaround completely to get more complete validation of server behavior. This allows MSCHAPv2 to verify that the server knows the password instead of relying only on the TLS certificate validation. Signed-off-by: Dmitry Shmidt --- src/eap_peer/eap_ttls.c | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c index e110236ad..771da584f 100644 --- a/src/eap_peer/eap_ttls.c +++ b/src/eap_peer/eap_ttls.c @@ -501,16 +501,6 @@ static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm, wpabuf_put(msg, pos - buf); *resp = msg; - if (sm->workaround) { - /* At least FreeRADIUS seems to be terminating - * EAP-TTLS/MSHCAPV2 without the expected MS-CHAP-v2 Success - * packet. */ - wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: EAP workaround - " - "allow success without tunneled response"); - ret->methodState = METHOD_MAY_CONT; - ret->decision = DECISION_COND_SUCC; - } - return 0; #else /* EAP_MSCHAPv2 */ wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build");