Matthew Newton wrote:
First is that you can call the detail module, to get a record of the certificate details easily in a log. Putting detail in post-auth before didn't work as, in post-auth, detail logs the response not the request.
Nice!
I've now got a detail instance in both the tls virtual-server and the post-auth / post-auth reject. This gets me a single log file with two (only) entries for each connection request - both the request AVPs, the certificate data, and the response.
That does make it much easier to manage.
Second is that I can call LDAP from the TLS virtual server and check group membership of the connecting device. Without this, you have to call LDAP in the inner tunnel (or outer, if you're doing plain EAP-TLS), and it gets called each time around the challenge-response loop, which hits the LDAP server more than necessary. Here, it just gets called once (see [0] for similar with PEAP/MS-CHAPv2). It's similar to the eap { ok = return } you can do for PEAP, but for EAP-TLS.
That helps, too. My only comment is that the patch is against the v2.1.x branch. Major new functionality needs to go into the "master" branch. Alan DeKok.