connection_sub_type=MS-EAP-Authentication match when doing EAP-PEAP-MSCHAPv2

[nqb]

Is your feature request related to a problem? Please describe. Currently, when you want to match connexions using EAP-PEAP-MSCHAPv2, you need to use following filter: connection_sub_type=MS-EAP-Authentication which is not obvious (as mentioned in #5280). On top of that, if you check RADIUS audit log of your request, EAP Type is set to MSCHAPv2

Describe the solution you'd like Use a connection_sub_type filter that contains MSCHAPv2 pattern to match this type of connection.

Describe alternatives you've considered Display the sub type within the node info in the radius auditing log so users can read it and match on it.

[jrouzierinverse]

Which type of filter are you talking about?

[jrouzierinverse]

We already support 'MS-CHAP-V2' as a connection_sub_type would that be enough?

[fdurand]

it's just because a confusion, if you check lib/pf/constants/eap_type.pm you can see:

    "MS-EAP-Authentication" => 26,
    "EAP-MSCHAP-V2" => 29,
    "Microsoft-MS-CHAPv2" => 26,
    "MS-CHAP-V2" => 26,

26 is what we use but 29 is what we choose.

[jrouzierinverse]

So what should be done to reduce the confusion?

[fdurand]

Do we compare with the number and not the string ? If it's the case then we probably needs to add a new one like "THIS_IS_THE_ONE_TO_USE_IF_YOU_WANT_TO_MATCH_EAP_PEAP_MSCHAPV2"

[jrouzierinverse]

We compare against the number internally we convert it to a number internally