Best way to add second eap module
I'm adding a second eap module instance to a virtual server to handle eap-tls with a different root CA, like this: authorize { ... eap-tls eap { ok = return updated = return } ... } authenticate { ... Auth-Type eap-tls { ... } Auth-Type eap { ... } ... } eap-tls returns 'invalid' if the client NAK's eap-tls, which causes a reject to be sent to PEAP users, so I need to change (or ignore) how 'invalid' is handled. Is the right way to get it to fall through to the other eap module to override 'invalid', or do I need to be looking at the failover/group functionality? Or is what I want just not possible due to the client sending a NAK? Many thanks, Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
On Aug 12, 2019, at 9:06 PM, Adam Bishop <Adam.Bishop@jisc.ac.uk> wrote:
I'm adding a second eap module instance to a virtual server to handle eap-tls with a different root CA, like this:
authorize { ... eap-tls eap {
That will likely be difficult. The EAP module wants to do all of EAP by itself. So you can't really do one EAP, and then another. The better solution is to key off of something else to select which EAP module to use. e.g. a domain name, LDAP group, etc. if (Realm == "example.com") { eap1 } else { eap2 }
eap-tls returns 'invalid' if the client NAK's eap-tls, which causes a reject to be sent to PEAP users, so I need to change (or ignore) how 'invalid' is handled.
It's better to just pick the right EAP module to use at the start.
Is the right way to get it to fall through to the other eap module to override 'invalid', or do I need to be looking at the failover/group functionality? Or is what I want just not possible due to the client sending a NAK?
EAP is a lot more complex than simple fail-over can handle. So no, that isn't possible. Alan DeKok.
On 13 Aug 2019, at 02:29, Alan DeKok <aland@deployingradius.com> wrote:
That will likely be difficult. The EAP module wants to do all of EAP by itself. So you can't really do one EAP, and then another.
Thanks, glad I double checked before I spent too long trying to make it work :)
The better solution is to key off of something else to select which EAP module to use. e.g. a domain name, LDAP group, etc.
Ok, I can do that. I'll give the eap-tls users a different anonymous identity and key off of that. Thanks for your help, Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
participants (2)
-
Adam Bishop -
Alan DeKok