Best way to add second eap module

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Best way to add second eap module

Adam Bishop-2
I'm adding a second eap module instance to a virtual server to handle eap-tls with a different root CA, like this:

  authorize {
     ...
     eap-tls
     eap {
       ok = return
       updated = return
     }
     ...
  }

  authenticate {
    ...
    Auth-Type eap-tls {
      ...
    }
    Auth-Type eap {
      ...
    }
    ...
  }

eap-tls returns 'invalid' if the client NAK's eap-tls, which causes a reject to be sent to PEAP users, so I need to change (or ignore) how 'invalid' is handled.

Is the right way to get it to fall through to the other eap module to override 'invalid', or do I need to be looking at the failover/group functionality? Or is what I want just not possible due to the client sending a NAK?

Many thanks,

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Best way to add second eap module

Alan DeKok-2
On Aug 12, 2019, at 9:06 PM, Adam Bishop <[hidden email]> wrote:
>
> I'm adding a second eap module instance to a virtual server to handle eap-tls with a different root CA, like this:
>
>  authorize {
>     ...
>     eap-tls
>     eap {

  That will likely be difficult.  The EAP module wants to do all of EAP by itself.  So you can't really do one EAP, and then another.

  The better solution is to key off of something else to select which EAP module to use.  e.g. a domain name, LDAP group, etc.

        if (Realm == "example.com") {
                eap1
        }
        else {
                eap2
        }

> eap-tls returns 'invalid' if the client NAK's eap-tls, which causes a reject to be sent to PEAP users, so I need to change (or ignore) how 'invalid' is handled.

  It's better to just pick the right EAP module to use at the start.

> Is the right way to get it to fall through to the other eap module to override 'invalid', or do I need to be looking at the failover/group functionality? Or is what I want just not possible due to the client sending a NAK?

  EAP is a lot more complex than simple fail-over can handle.  So no, that isn't possible.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Best way to add second eap module

Adam Bishop-2
On 13 Aug 2019, at 02:29, Alan DeKok <[hidden email]> wrote:
>  That will likely be difficult.  The EAP module wants to do all of EAP by itself.  So you can't really do one EAP, and then another.

Thanks, glad I double checked before I spent too long trying to make it work :)

>  The better solution is to key off of something else to select which EAP module to use.  e.g. a domain name, LDAP group, etc.

Ok, I can do that. I'll give the eap-tls users a different anonymous identity and key off of that.

Thanks for your help,

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html