[awful patch] "Multiple levels of TLS nesting is invalid."

Matt Bernstein +systems.extlists.freeradius-users at dcs.qmul.ac.uk
Tue Oct 14 16:56:51 CEST 2008 

So saith FreeRADIUS 2.1.1, but I wasn't trying to do multiple levels of 
TLS nesting. I'm trying to use virtual servers so that a single radiusd 
can terminate TTLS/PEAP for multiple subrealms, _and_ use the inner-tunnel 
trick, keeping the configs completely independent for each subrealm. This 
allows me to hook up different departments with different AAA 
infrastructures into one radius set-up for our eduroam service.

My "default" server has a pair of listen{} blocks, and little else:

 	authorize {
 	        suffix
 	}

 	authenticate {
 	}

So, rlm_realm finds my virtual servers in proxy.conf, eg:

 	realm dcs.qmul.ac.uk {
 	        nostrip
 	        virtual_server = dcs
 	}

..and "dcs" has its own EAP config, which references a virtual_server 
"dcs-inner" for the PEAP/TTLS innards, which has _its_ own EAP config.

My problem is that eap.c (line 219), as called by "dcs-inner", notices the 
request has a grandparent, and assumes it's multiple layers of TLS 
nesting. Interestingly, the comment omits the magic word "TLS". I think 
perhaps that the virtual servers appear to count as layers. Anyway, this 
braindead patch makes it work for me:

--- freeradius-server-2.1.1/src/modules/rlm_eap/eap.c.orig	2008-09-25 09:41:26.000000000 +0100
+++ freeradius-server-2.1.1/src/modules/rlm_eap/eap.c	2008-10-14 15:19:53.800553926 +0100
@@ -216,10 +216,13 @@
  	/*
  	 *	Multiple levels of nesting are invalid.
  	 */
-	if (handler->request->parent && handler->request->parent->parent) {
-		RDEBUG2("Multiple levels of TLS nesting is invalid.");
+	if (handler->request->parent && handler->request->parent->parent && handler->request->parent->parent->parent ) {
+		RDEBUG2("Multiple levels of TLS nesting is really invalid.");
  		return EAP_INVALID;
  	}
+	if (handler->request->parent && handler->request->parent->parent) {
+		RDEBUG2("Multiple levels of nesting is thought invalid, continuing anyway.");
+	}

  	/*
  	 *	Figure out what to do.

..and my "radiusd -X" output now looks like this:

Found Auth-Type = dcs-inner-eap
+- entering group authenticate {...}
[dcs-inner-eap] Request found, released from the list
[dcs-inner-eap] Multiple levels of nesting is thought invalid, continuing 
anyway.
[dcs-inner-eap] EAP/mschapv2
[dcs-inner-eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] Told to do MS-CHAPv2 for username at dcs.qmul.ac.uk with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[dcs-inner-eap] returns handled

So.. I hope this is useful. Do drop me a mail on- or off-list on
<mb/freeradius at dcs.qmul.ac.uk>, if you want any further information or if 
I'm not being clear enough.

Matt

More information about the Freeradius-Users mailing list