TLS configuration

Alan DeKok aland at deployingradius.com
Wed Feb 8 09:18:55 CET 2012 

Matthew Newton wrote:
> The fact is that you have to configure EAP-TLS so that you can use
> the PEAP/TTLS, even if you don't want to actually use the EAP-TLS
> type itself.

  Yes.  The saving grace there is you don't normally issue client certs.
 So EAP-TLS won't work when people try to use it.

> OK, maybe that isn't such a good way to clarify it. Like you say,
> it would move configuration to different places and may make it
> harder to follow. Thinking more about it, maybe just this would
> make it easier to understand:
...
> So the "TLS" bit is split from the EAP-TLS type. To disable
> EAP-TLS, you'd just comment out the tls{} section, just like any
> other EAP type, but leave the common-tls section for PEAP/TTLS to
> use.

  That would work.

> I guess as an extreme, the TLS options could even be directly in
> the eap section rather than in a sub-section, as all eap types
> requiring TLS in that instantiation will use the same TLS settings
> (i.e. they're actually 'global'). But it seems tidier for them to
> be grouped together.

  A bit, yes.

> Yeah, I can see how PEAP/TTLS use the underlying EAP-TLS code -
> that makes a lot of sense. It's the fact that that code structure
> percolates up into the configuration.

  In git "master" branch, the code has changed.  All of the SSL cert
stuff is now in src/main/tls.c.  So it *should* be possible to more
cleanly separate the configurations.

> Just trying to explore if there is any way the config can be
> updated/simplified to remove that initial confusion!

  My take is the following:

1) update eap_tls_attach() to do cf_pair_find(cs, "tls")
   put it before the tls_server_conf_parse() line.
   if it's found, look for the section referred to by the "tls" entry
   and use that for the TLS configuration.

2) verify that you can change the config to:

	eap {
		tls_common {
			... cert stuff ...
		}

		tls {
			tls = tls_common
		}
		...

	}

  and check that it works.

3) move the eap_tls_instantiate() code to rlm_eap/libeap/eap_tls.c
   not all, just the common "set up session code".
   Leave the TLS / TTLS / PEAP code in eap_tls_instantiate()

4) copy the eap_tls_instantiate() code to TTLS and PEAP
   as eap_ttls_instantiate(), and eap_peap_attach()
   ensure that ONLY the TTLS / PEAP code is there.
   remove the TTLS / PEAP stuff from eap_tls_instantiate()

5) copy the cf_pair_find(cs, "tls") stuff from eap_tls_attach
   into eap_ttls_attach() and eap_peap_attachI().

6) remove the TTLS / PEAP --> TLS code from rlm_eap/eap.c

  If TLS, TTLS, and PEAP work, then you now are a good ways to

  Steps 5 && 6 might be complicated.  But the basic idea *should* work.


  The end result will be the TLS configuration will be anywhere you
want.  The EAP tls, ttls, and peap code will just have an entry "tls ="
to point to the TLS configuration.

  The HARD thing about this is now the TLS configuration will be loaded
multiple times.  Once each for EAP-TLS, TTLS, and PEAP.  Finding a way
to avoid that would be good.

  Alan DeKok.

More information about the Freeradius-Devel mailing list