peap/eap change in 3.0.x with inner_eap_module now required

Matthew Newton mcn4 at leicester.ac.uk
Tue Jan 19 21:46:45 CET 2016


On Tue, Jan 19, 2016 at 02:42:44PM -0500, Alan DeKok wrote:
> On Jan 19, 2016, at 12:54 PM, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> > Adding in the new "inner_eap_module" option to the outer PEAP
> > section fixes it (inner_eap_module = "outer-eep")
> 
>   Is that a typo?  Are you sure it isn't "inner_eap_module = "inner-eap"

Er, dunno - I was just trying things to get the server to start,
not knowing exactly what inner_eap_module actually does. I didn't
check that it would actually authenticate anything ;-)

I have

eap outer-eap {
        default_eap_type = peap
        ...

        tls-config tls-common-outer {
          ...
        }
        
        # permit plain eap-tls
        tls {   
                tls = tls-common-outer
                virtual_server = check-eap-tls
        }
        
        # for peap/eap-tls
        peap {  
                tls = tls-common-outer
                default_eap_type = tls
                copy_request_to_tunnel = yes
                use_tunneled_reply = no
                virtual_server = "inner-tunnel"
                soh = yes
                soh_virtual_server = "soh-server"

                # added 'inner_eap_module = "outer-eap"' here
        }
}


eap inner-eap {
        default_eap_type = tls
        ...

        tls-config tls-common-inner {
          ...
        }

        # for inner eap-tls
        tls {
                tls = tls-common-inner
                virtual_server = check-eap-tls
        }
}

Is 'inner_eap_module' overriding 'virtual_server = "inner-tunnel"', or just
setting which module to call in the outer authenticate section? I assumed the
latter.

m.


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Devel mailing list