Allow for new state transition on failure

if our RESPONSE gets a FAILURE message, it means that the
supplicant doesn't like our password.  Rather than complaining
about unexpected response, just send failure.

diff --git a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
index 2b20d769d267602e0b99473eedf9e24e643773cf..2774809e90632652b29584f270f555af8825d63d 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
+++ b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
@@ -442,6 +442,8 @@ static int mschapv2_authenticate(void *arg, EAP_HANDLER *handler)
                 *      a challenge.
                 */
        case PW_EAP_MSCHAPV2_RESPONSE:
+               if (data->code == PW_EAP_MSCHAPV2_FAILURE) goto failure;
+
                if (data->code != PW_EAP_MSCHAPV2_CHALLENGE) {
                        radlog(L_ERR, "rlm_eap_mschapv2: Unexpected response received");
                        return 0;
@@ -514,6 +516,7 @@ static int mschapv2_authenticate(void *arg, EAP_HANDLER *handler)
                        return 0;
                }
 
+       failure:
                 handler->request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
                 eap_ds->request->code = PW_EAP_FAILURE;
                 return 1;