[awful patch] "Multiple levels of TLS nesting is invalid."
Alan DeKok
aland at deployingradius.com
Wed Oct 15 14:31:29 CEST 2008
Matt Bernstein wrote:
> So saith FreeRADIUS 2.1.1, but I wasn't trying to do multiple levels of
> TLS nesting. I'm trying to use virtual servers so that a single radiusd
> can terminate TTLS/PEAP for multiple subrealms, _and_ use the
> inner-tunnel trick, keeping the configs completely independent for each
> subrealm.
If you have one server certificate for TTLS, you don't need this extra
layer of nesting. The TTLS && PEAP modules will look for a *dynamic*
definition of the virtual server for the inner-tunnel.
> This allows me to hook up different departments with different
> AAA infrastructures into one radius set-up for our eduroam service.
>
> My "default" server has a pair of listen{} blocks, and little else:
>
> authorize {
> suffix
update control {
Virtual-Server = "%{Realm}"
}
> ..and "dcs" has its own EAP config, which references a virtual_server
> "dcs-inner" for the PEAP/TTLS innards, which has _its_ own EAP config.
That's... complicated.
> My problem is that eap.c (line 219), as called by "dcs-inner", notices
> the request has a grandparent, and assumes it's multiple layers of TLS
> nesting. Interestingly, the comment omits the magic word "TLS". I think
> perhaps that the virtual servers appear to count as layers. Anyway, this
> braindead patch makes it work for me:
Which pretty much removes the limits on nested queries. I understand
why you're doing this, but I'm not sure what the side effects are.
Alan DeKok.
More information about the Freeradius-Users
mailing list