From ceece01b9947f89bf7cbea9e73e1a46811ea61d2 Mon Sep 17 00:00:00 2001
From: Simon Rozman <simon@rozman.si>
Date: Mon, 29 Aug 2016 09:25:38 +0200
Subject: [PATCH] In case of previously-failed authentication attempts we are
 more careful now not to request credential prompt for machine authentication

---
 lib/TTLS/src/Module.cpp | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/lib/TTLS/src/Module.cpp b/lib/TTLS/src/Module.cpp
index bf4a98d..31c604a 100644
--- a/lib/TTLS/src/Module.cpp
+++ b/lib/TTLS/src/Module.cpp
@@ -132,18 +132,20 @@ void eap::peer_ttls::get_identity(
 
     // If we got here, we have all credentials we need. But, wait!
 
-    if (cfg_method->m_auth_failed) {
-        // Outer TLS: Credentials failed on last connection attempt.
-        log_event(&EAPMETHOD_TRACE_EVT_CRED_PROBLEM, event_data((unsigned int)eap_type_tls), event_data::blank);
-        *pfInvokeUI = TRUE;
-        return;
-    }
+    if ((dwFlags & EAP_FLAG_MACHINE_AUTH) == 0) {
+        if (cfg_method->m_auth_failed) {
+            // Outer: Credentials failed on last connection attempt.
+            log_event(&EAPMETHOD_TRACE_EVT_CRED_PROBLEM, event_data((unsigned int)eap_type_tls), event_data::blank);
+            *pfInvokeUI = TRUE;
+            return;
+        }
 
-    if (cfg_method->m_inner->m_auth_failed) {
-        // Inner: Credentials failed on last connection attempt.
-        log_event(&EAPMETHOD_TRACE_EVT_CRED_PROBLEM, event_data((unsigned int)cfg_method->m_inner->get_method_id()), event_data::blank);
-        *pfInvokeUI = TRUE;
-        return;
+        if (cfg_method->m_inner->m_auth_failed) {
+            // Inner: Credentials failed on last connection attempt.
+            log_event(&EAPMETHOD_TRACE_EVT_CRED_PROBLEM, event_data((unsigned int)cfg_method->m_inner->get_method_id()), event_data::blank);
+            *pfInvokeUI = TRUE;
+            return;
+        }
     }
 
     // Build our identity. ;)