EAP-TTLS: Remove FreeRADIUS workaround for EAP-TTLS/MSCHAPv2

FreeRADIUS releases before 1.1.4 did not send MS-CHAP2-Success in
EAP-TTLS/MSCHAPv2. A wpa_supplicant workaround for that was added in
2005 and it has been enabled by default to avoid interoperability
issues. This could be disabled with all other EAP workarounds
(eap_workaround=0). However, that will disable some workarounds that are
still needed with number of authentication servers.

Old FreeRADIUS versions should not be in use anymore, so it makes sense
to remove this EAP-TTLS/MSCHAPv2 workaround completely to get more
complete validation of server behavior. This allows MSCHAPv2 to verify
that the server knows the password instead of relying only on the TLS
certificate validation.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>

diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c
index e110236ad96f379fb1a65bb582ce436f7f43ece4..771da584f3ba75e9c583dcb006c9a594fc1889ca 100644 (file)
--- a/src/eap_peer/eap_ttls.c
+++ b/src/eap_peer/eap_ttls.c
@@ -501,16 +501,6 @@ static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
        wpabuf_put(msg, pos - buf);
        *resp = msg;
 
-       if (sm->workaround) {
-               /* At least FreeRADIUS seems to be terminating
-                * EAP-TTLS/MSHCAPV2 without the expected MS-CHAP-v2 Success
-                * packet. */
-               wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: EAP workaround - "
-                          "allow success without tunneled response");
-               ret->methodState = METHOD_MAY_CONT;
-               ret->decision = DECISION_COND_SUCC;
-       }
-
        return 0;
 #else /* EAP_MSCHAPv2 */
        wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build");