On Aug 12, 2019, at 9:06 PM, Adam Bishop <Adam.Bishop@jisc.ac.uk> wrote:
I'm adding a second eap module instance to a virtual server to handle eap-tls with a different root CA, like this:
authorize { ... eap-tls eap {
That will likely be difficult. The EAP module wants to do all of EAP by itself. So you can't really do one EAP, and then another. The better solution is to key off of something else to select which EAP module to use. e.g. a domain name, LDAP group, etc. if (Realm == "example.com") { eap1 } else { eap2 }
eap-tls returns 'invalid' if the client NAK's eap-tls, which causes a reject to be sent to PEAP users, so I need to change (or ignore) how 'invalid' is handled.
It's better to just pick the right EAP module to use at the start.
Is the right way to get it to fall through to the other eap module to override 'invalid', or do I need to be looking at the failover/group functionality? Or is what I want just not possible due to the client sending a NAK?
EAP is a lot more complex than simple fail-over can handle. So no, that isn't possible. Alan DeKok.