On Sep 12, 2024, at 10:11 AM, Connor Herring <connorrjherring@gmail.com> wrote:
I've got my setup working so that the outer auth is dealt with by EAPTTLS and then the inner is dealt with by either PAP/MD5 depending on what device the client is using (Windows doesn't seem to support MD5 and Apple doesn't seem to support PAP without extra config).
Apple systems should be able to do TTLS+PAP without issue.
My question is regarding the /mods-available/inner-eap module. My setup seems to be working but finding out that this module exists has made me question that fact. Instead of configuring inner tunnel within the /mods-enabled/eap file (e.g. setting the virtual server to your inner tunnel server and then configuring the inner tunnel virtual server in /sites-enabled/inner-tunnel etc.) do you HAVE to use /mods-available/inner-eap for this kind of setup to work correctly?
No.
When reading the documents I wasn't sure if the inner-eap module was going to be more heavily relied upon in v4.0.0 (I'm on v3.2.1) but wasn't necessary at the moment?
The intent of the inner vs outer EAP modules was to allow different EAP types. i.e. you don't want to do EAP-TTLS, which then carries EAP-TTLS, which then carries EAP-TTLS... Using one EAP module means that such nesting is allowed / easier. Using a separate "inner-eap" module means that you can more easily separate the two sets of EAP methods. Alan DeKok.