Rlm_eap_ttls Virtual Server Autoselection

[Alan DeKok]

On Jul 3, 2018, at 2:54 AM, Richter, Jan <richter at itc.rwth-aachen.de> wrote:
> I would like to gain more information concerning the github issue #2256 (https://github.com/FreeRADIUS/freeradius-server/issues/2256). It is about the RLM_EAP_TTLS module requiring a specific virtual server set to sent the inner requests to. But first thanks for quickly answering there.
> 
> I have two questions:
> 
> 1. How do I configure multiple virtual servers with eap support? Am I right to create the servers with eap and then create a eap module for EACH server with the virtual server attribute set to the corresponding server again? This would increase the amount of nearly redundant configuration in a scenario with a lot of virtual servers.

  You can use one EAP module in multiple virtual servers.  The only caveat is that the configuration is the same.

  If you want different inner-tunnels for each outer virtual server, then you need to have different EAP modules.  Which is fine, because you'll likely need different certificates, too, for each virtual server && EAP module.

  i.e. either you're using the same config, so there's no redundancy, or you're using different configs so there's no redundancy.

> 2. What is so bad with the auto selection of the virtual server?

  What is "auto selection"?  This phrase doesn't occur anywhere in the configuration files.

> What are the mentioned "security reasons"? I could not find an explanation in the comment that added the error.
> Or isn't it the auto selection feature, but to sent the inner requests to the same server handling the outer requests?

  The issue is that the inner identity and passwords are secret... they're passed inside of a TLS tunnel.  Exposing those to the outer tunnel is a violation of security principles.

  Alan DeKok.