Is it possible to have different TLS configurations per EAP type?
Hello, I have a set of FR 2.2.5 servers which are currently handling PEAP connections. We now want to add EAP-TLS authentication, which is pretty straightforward. The only stumbling block I have is that the EAP-TLS client certs are signed by a root CA different from the one that signed the server certificate currently used for PEAP authentication. While that is not a problem in itself it makes client devices configuration more troublesome than I would like because it forces the user to install two root CA certs. So I am trying to write a configuration that would support two eap configurations. Instantiating two modules is not the problem, it’s more a matter of finding how to select a configuration to be used while maintaining backwards compatibility for the existing PEAP clients. Assuming the following modules: eap { […] tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file =${certdir}/server.key certificate_file = ${certdir}/server.crt CA_file = ${certdir}/ca_PEAP.crt dh_file = ${certdir}/dh random_file = /dev/urandom cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap” […] } eap eap-tls { [..] tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/ca.key private_key_password = whatever certificate_file = ${certdir}/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" CA_file = ${certdir}/ca.pem […] } This does not seem to work: authorize { # assuming an instance called eap-tls eap-tls { updated = return } # else eap { ok = return } […] } And since things like EAP-Type are detected by the eap module itself I also can’t seem to do if (EAP-Type && (EAP-Type == EAP-TLS)) { eap-tls { ok = return } } else { eap { ok = return } } Which leaves me with a chicken and egg type of situation. Is this doable in FR 2? Am I just missing the obvious? Thank you for your help. -- Louis Munro lmunro@inverse.ca :: www.inverse.ca +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
On Thu, Jan 29, 2015 at 03:48:58PM -0500, Louis Munro wrote:
So I am trying to write a configuration that would support two eap configurations.
What does your User-Name looks like with eap-tls? Often "host/<hostname>", in which case you could do something like if (User-Name =~ /^host\//) { eap-tls } else { eap-peap } You can also test EAP-Message with a regex to find which eap-type is being used - but again might be too late in the negotiations to be of use. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Jan 29, 2015, at 16:22 , Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
I'll +1 Matthews answer here
alan
It looks like that is the way to go. Thank you both. -- Louis Munro lmunro@inverse.ca :: www.inverse.ca +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
participants (3)
-
Alan Buxey -
Louis Munro -
Matthew Newton