Matthew Newton wrote:
The fact is that you have to configure EAP-TLS so that you can use the PEAP/TTLS, even if you don't want to actually use the EAP-TLS type itself.
Yes. The saving grace there is you don't normally issue client certs. So EAP-TLS won't work when people try to use it.
OK, maybe that isn't such a good way to clarify it. Like you say, it would move configuration to different places and may make it harder to follow. Thinking more about it, maybe just this would make it easier to understand: ... So the "TLS" bit is split from the EAP-TLS type. To disable EAP-TLS, you'd just comment out the tls{} section, just like any other EAP type, but leave the common-tls section for PEAP/TTLS to use.
That would work.
I guess as an extreme, the TLS options could even be directly in the eap section rather than in a sub-section, as all eap types requiring TLS in that instantiation will use the same TLS settings (i.e. they're actually 'global'). But it seems tidier for them to be grouped together.
A bit, yes.
Yeah, I can see how PEAP/TTLS use the underlying EAP-TLS code - that makes a lot of sense. It's the fact that that code structure percolates up into the configuration.
In git "master" branch, the code has changed. All of the SSL cert stuff is now in src/main/tls.c. So it *should* be possible to more cleanly separate the configurations.
Just trying to explore if there is any way the config can be updated/simplified to remove that initial confusion!
My take is the following: 1) update eap_tls_attach() to do cf_pair_find(cs, "tls") put it before the tls_server_conf_parse() line. if it's found, look for the section referred to by the "tls" entry and use that for the TLS configuration. 2) verify that you can change the config to: eap { tls_common { ... cert stuff ... } tls { tls = tls_common } ... } and check that it works. 3) move the eap_tls_instantiate() code to rlm_eap/libeap/eap_tls.c not all, just the common "set up session code". Leave the TLS / TTLS / PEAP code in eap_tls_instantiate() 4) copy the eap_tls_instantiate() code to TTLS and PEAP as eap_ttls_instantiate(), and eap_peap_attach() ensure that ONLY the TTLS / PEAP code is there. remove the TTLS / PEAP stuff from eap_tls_instantiate() 5) copy the cf_pair_find(cs, "tls") stuff from eap_tls_attach into eap_ttls_attach() and eap_peap_attachI(). 6) remove the TTLS / PEAP --> TLS code from rlm_eap/eap.c If TLS, TTLS, and PEAP work, then you now are a good ways to Steps 5 && 6 might be complicated. But the basic idea *should* work. The end result will be the TLS configuration will be anywhere you want. The EAP tls, ttls, and peap code will just have an entry "tls =" to point to the TLS configuration. The HARD thing about this is now the TLS configuration will be loaded multiple times. Once each for EAP-TLS, TTLS, and PEAP. Finding a way to avoid that would be good. Alan DeKok.