Handle type of first EAP-RADIUS response more sophisticated

2012-10-16 16:39:49 +02:00 · 2012-10-16 16:39:49 +02:00 · d2c8bc4df0
parent a5436657e9
commit d2c8bc4df0
1 changed files with 18 additions and 3 deletions
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@ -181,9 +181,23 @@ METHOD(eap_method_t, initiate, status_t,
 	if (response)
 	{
 		eap_radius_forward_to_ike(response);
-		if (radius2ike(this, response, out))
+		switch (response->get_code(response))
 		{
-			status = NEED_MORE;
+			case RMC_ACCESS_CHALLENGE:
+				if (radius2ike(this, response, out))
+				{
+					status = NEED_MORE;
+				}
+				break;
+			case RMC_ACCESS_ACCEPT:
+				/* Microsoft RADIUS servers can run in a mode where they respond
+				 * like this on the first request (i.e. without authentication),
+				 * we treat this as Access-Reject */
+			case RMC_ACCESS_REJECT:
+			default:
+				DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
+					 this->peer);
+				break;
 		}
 		response->destroy(response);
 	}
@ -365,7 +379,8 @@ METHOD(eap_method_t, process, status_t,
 				break;
 			case RMC_ACCESS_REJECT:
 			default:
-				DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed", this->peer);
+				DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed",
+					 this->peer);
 				status = FAILED;
 				break;
 		}