From f26dcc5f458b02433281413613ad418120474e22 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Tue, 3 Apr 2012 11:22:06 +0100
Subject: [PATCH] Allow for new state transition on failure

if our RESPONSE gets a FAILURE message, it means that the
supplicant doesn't like our password.  Rather than complaining
about unexpected response, just send failure.
---
 src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
index 2b20d769d26..2774809e906 100644
--- a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
+++ b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
@@ -442,6 +442,8 @@ static int mschapv2_authenticate(void *arg, EAP_HANDLER *handler)
 		 *	a challenge.
 		 */
 	case PW_EAP_MSCHAPV2_RESPONSE:
+		if (data->code == PW_EAP_MSCHAPV2_FAILURE) goto failure;
+
 		if (data->code != PW_EAP_MSCHAPV2_CHALLENGE) {
 			radlog(L_ERR, "rlm_eap_mschapv2: Unexpected response received");
 			return 0;
@@ -514,6 +516,7 @@ static int mschapv2_authenticate(void *arg, EAP_HANDLER *handler)
 			return 0;
 		}
 
+	failure:
                 handler->request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
                 eap_ds->request->code = PW_EAP_FAILURE;
                 return 1;
-- 
2.47.3