Hi, On Tue, Feb 07, 2012 at 08:40:33AM +0100, Alan DeKok wrote:
Matthew Newton wrote:
... so why is the TLS config all inside EAP-TLS, and mysteriously PEAP and TTLS use EAP-TLS's config?
Because they all use TLS. And because you want the server to appear as one RADIUS server. Having a shared configuration makes that easier.
The alternative would be to configure TLS *separately* for PEAP and TTLS. When the user switches from PEAP to TTLS, a "new server" warning pops up, along with a new certificate. That's not nice.
Hmm - agreed on this point. Maybe our confusion, then, is that there is (logically, I'm not talking about the underlying code): TLS configuration, used by EAP-TLS, PEAP, TTLS because they all do TLS yet the configuration implies: EAP-TLS, which is used by PEAP and TTLS. The fact is that you have to configure EAP-TLS so that you can use the PEAP/TTLS, even if you don't want to actually use the EAP-TLS type itself.
In the main top-level config in radiusd.conf, have a new 'tls' section, that might look something like this:
The difficulty is that it doesn't follow the module format of the server. It mixes module configuration, "listen" section configuration, and has configuration for different virtual servers in one place.
OK, maybe that isn't such a good way to clarify it. Like you say, it would move configuration to different places and may make it harder to follow. Thinking more about it, maybe just this would make it easier to understand: eap { ... common-tls { private_key_file = ... certificate_file = ... ... } md5 { } tls { } peap { ... } ttls { } ... } So the "TLS" bit is split from the EAP-TLS type. To disable EAP-TLS, you'd just comment out the tls{} section, just like any other EAP type, but leave the common-tls section for PEAP/TTLS to use. I guess as an extreme, the TLS options could even be directly in the eap section rather than in a sub-section, as all eap types requiring TLS in that instantiation will use the same TLS settings (i.e. they're actually 'global'). But it seems tidier for them to be grouped together.
See src/modules/rlm_eap/eap.c. Look for "TLS". Knowledge that TTLS/PEAP uses TLS is hard-coded into the EAP module. Changing that is difficult.
Yeah, I can see how PEAP/TTLS use the underlying EAP-TLS code - that makes a lot of sense. It's the fact that that code structure percolates up into the configuration. I admit, now that we know how it works, it's easy to configure, but I've now been doing this for over a year. Things are always easy when you know how! Initially it was a right pig to understand... "but I don't *want* EAP-TLS (and I want to guarantee it can never work)" :-) Just trying to explore if there is any way the config can be updated/simplified to remove that initial confusion! Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>