On Tue, Jan 19, 2016 at 02:16:19PM -0500, Alan DeKok wrote:
On Jan 19, 2016, at 12:54 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote: I added some more sanity checking, and it seems to have broken some configurations.
OK. It's entirely possible my config is broken of course :)
The question is, should we relax those sanity checks, or are the configurations really broken?
I'm probably fairly unusual in having an eap instantiation (two even) that's not called "eap".
EAP modules here are called "outer-eap" and "inner-eap" (for my sanity - we've got PEAP/EAP-TLS, so it's "double-stacked" :-) )
What does the inner-tunnel "authenticate" section? i.e. does it have:
authenticate { ... inner-eep ... }
This. Well, default has authenticate { outer-eap } and inner-innel has authenticate { inner-eap } so basically the same as the default configration, except I've renamed the instances from eap to inner/outer-e.ap outer-eap does PEAP, inner-eap does EAP-TLS.
Adding in the new "inner_eap_module" option to the outer PEAP section fixes it (inner_eap_module = "outer-eap") but I'm not sure why it needs to break in 3.0.x?
It doesn't need to break, of course. But sanity checks are good.
Yeah, OK.
The problem was that the PEAP module was *hard-coded* to use "Auth-Type EAP". Which worked fine for situation (2) above, but not so much for situation (1).
But it has always worked for (1) before - that's the default config (albeit with unchanged instance name I admit). On Tue, Jan 19, 2016 at 02:26:57PM -0500, Alan DeKok wrote:
On Jan 19, 2016, at 2:16 PM, Alan DeKok <aland@deployingradius.com> wrote:
Hmm... If I configure the inner-tunnel virtual server as (1), I get:
No, my bad. It works.
So my question again, is how the heck did it ever work when running inner-tunnel, Auth-Type EAP, and there's no "eap" module listed in "authenticate" ?
there is "outer-eap", just not "eap".
If it breaks peoples systems, I can relax the checks. But I'd like to know just what the heck the system is actually doing.
TBH I've never quite got my head around why there is e.g. Auth-Type pap { pap } for everything else, and just eap for the eap module. I've always guessed that if the correct Auth-Type section is set then it uses that section, otherwise it just goes an calls all modules not in a named section in order (as in authorize) and hopes that something picks it up? Guess I should go and read the code.... just haven't ever needed to check this as it's always just worked, albeit looked slightly odd :) Thanks, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>