Purpose of the inner-eap module
Hi Folks, In the standard config there's an second instance of the eap module, named 'inner-eap', but it doesn't appear to be referenced anywhere. I've swapped all occurances of 'eap' in the inner-tunnel site to 'inner-eap' and now see PEAP/EAP-MSCHAPv2 authentications complete with one fewer roundtrip, which feels like an improvement. Is there a reason inner-eap is not used in the default inner-tunnel site? As an aside, the wiki's EAP module page says "NOTE: There can only be one instance of the EAP module." (http://wiki.freeradius.org/modules/Rlm_eap), but that doesn't appear to be the case here. Graham
On Sep 29, 2016, at 1:34 PM, Graham Clinch <g.clinch@lancaster.ac.uk> wrote:
In the standard config there's an second instance of the eap module, named 'inner-eap', but it doesn't appear to be referenced anywhere.
It's an example. We probably should make it the default inner-eap method for version 4.
I've swapped all occurances of 'eap' in the inner-tunnel site to 'inner-eap' and now see PEAP/EAP-MSCHAPv2 authentications complete with one fewer roundtrip, which feels like an improvement. Is there a reason inner-eap is not used in the default inner-tunnel site?
History, mostly.
As an aside, the wiki's EAP module page says "NOTE: There can only be one instance of the EAP module." (http://wiki.freeradius.org/modules/Rlm_eap), but that doesn't appear to be the case here.
That's historical and should be deleted. Alan DeKok.
On Thu, Sep 29, 2016 at 06:34:10PM +0100, Graham Clinch wrote:
I've swapped all occurances of 'eap' in the inner-tunnel site to 'inner-eap' and now see PEAP/EAP-MSCHAPv2 authentications complete with one fewer roundtrip, which feels like an improvement. Is there a reason inner-eap is not used in the default inner-tunnel site?
The default "eap" config has default_eap_type = md5 which will be NAK'd on the first round trip. You should set it to the EAP method you're most commonly going to use. The "inner-eap" config has default_eap_type = mschapv2 which you're using, so saves one RT because the server and client agree the first time around. You'd use the inner-eap config when you're doing e.g. PEAP/EAP-TLS, i.e. EAP (EAP-TLS) inside of EAP (PEAP). In which case your inner-tunnel config would call inner-eap instead of eap (which would be the same module twice, which wouldn't end nicely). Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Sep 30, 2016, at 5:28 AM, A.L.M.Buxey@lboro.ac.uk wrote:
The default "eap" config has
default_eap_type = md5
that really should be changed to eg peap now - with md5, leap etc all commented out by default.
Except that EAP-MD5 is useful in wired environments. Disabling it is a bad idea. That being said, people should pay some attention to optimizing their configuration. Alan DeKok.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Graham Clinch -
Matthew Newton