Best way to add second eap module

[Adam Bishop]

I'm adding a second eap module instance to a virtual server to handle eap-tls with a different root CA, like this:

  authorize {
     ...
     eap-tls
     eap {
       ok = return
       updated = return
     }
     ...
  }

  authenticate {
    ...
    Auth-Type eap-tls {
      ...
    }
    Auth-Type eap {
      ...
    }
    ...
  }

eap-tls returns 'invalid' if the client NAK's eap-tls, which causes a reject to be sent to PEAP users, so I need to change (or ignore) how 'invalid' is handled.

Is the right way to get it to fall through to the other eap module to override 'invalid', or do I need to be looking at the failover/group functionality? Or is what I want just not possible due to the client sending a NAK? 

Many thanks,

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.