Message ID | 20201016083101.2300-1-alex@digriz.org.uk |
---|---|
State | Changes Requested |
Headers | show |
Series | [v2] PEAP peer: allow autheap for EAP-TLS phase2 support | expand |
Hello, Any thoughts on this patch? Last time there was a question of if there was any need for it, but no one could explain how to do PEAP with the inner method EAP-TLS with wpa_supplicant/eapol_test otherwise. Though PEAP with EAP-TLS is somewhat pointless since Microsoft killed SoH[1] in Windows 10, some users of FreeRADIUS still use wish to use it. Regards Alex [1] https://docs.microsoft.com/en-us/windows/win32/nap/network-access-protection-start-page On Fri, 16 Oct 2020, at 09:31, Alexander Clouter wrote: > PEAP supports using EAP-TLS as the inner method (often referred to as > PEAP-TLS or PEAP-EAP-TLS in the literature). This patch exposes the hooks > that enable this to be configured and used by wpa_supplicant/eapol_test. > > This patch came about during TLSv1.3 interop testing between FreeRADIUS and > Microsoft leading to fixing up support for PEAP-TLS in both FreeRADIUS and > this hostap patch. > > Changes since: > v1: included commit message with submission; no code change > > Signed-off-by: Alexander Clouter <alex@digriz.org.uk> > > --- > src/eap_peer/eap_peap.c | 22 +++++++++++++++++++--- > 1 file changed, 19 insertions(+), 3 deletions(-) > > diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c > index 7c3704369..7bcba4de2 100644 > --- a/src/eap_peer/eap_peap.c > +++ b/src/eap_peer/eap_peap.c > @@ -146,13 +146,29 @@ static void * eap_peap_init(struct eap_sm *sm) > if (config && config->phase1) > eap_peap_parse_phase1(data, config->phase1); > > - if (eap_peer_select_phase2_methods(config, "auth=", > - &data->phase2_types, > - &data->num_phase2_types, 0) < 0) { > + if (os_strstr(config->phase2, "auth=") && os_strstr(config->phase2, > "autheap=")) { > + wpa_printf(MSG_ERROR, > + "EAP-PEAP: Both auth= and autheap= params cannot be specified"); > eap_peap_deinit(sm, data); > return NULL; > } > > + if (os_strstr(config->phase2, "auth=")) { > + if (eap_peer_select_phase2_methods(config, "auth=", > + &data->phase2_types, > + &data->num_phase2_types, 0) < 0) { > + eap_peap_deinit(sm, data); > + return NULL; > + } > + } else { > + if (eap_peer_select_phase2_methods(config, "autheap=", > + &data->phase2_types, > + &data->num_phase2_types, 0) < 0) { > + eap_peap_deinit(sm, data); > + return NULL; > + } > + } > + > data->phase2_type.vendor = EAP_VENDOR_IETF; > data->phase2_type.method = EAP_TYPE_NONE; > > -- > 2.20.1 > >
On Fri, Oct 16, 2020 at 09:31:03AM +0100, Alexander Clouter wrote: > PEAP supports using EAP-TLS as the inner method (often referred to as > PEAP-TLS or PEAP-EAP-TLS in the literature). This patch exposes the hooks > that enable this to be configured and used by wpa_supplicant/eapol_test. I still do not understand why this would be needed. EAP-TLS as an inner method for PEAP has been supported for years with following: eap=PEAP phase2="auth=TLS" ca_cert="ca-for-outer-peap.pem" identity="User" ca_cert2="ca-for-inner-eap-tls.pem" client_cert2="user-cert-for-inner-eap-tls.pem" private_key2="user-private-key-for-inner-eap-tls.pem" Sure, this is different compared to the EAP-TTLS special case, but the special case is on the EAP-TTLS side (both EAP and non-EAP inner methods) and not on PEAP (only EAP inner methods).
Hello, On Sat, 20 Feb 2021, at 14:26, Jouni Malinen wrote: > > I still do not understand why this would be needed. EAP-TLS as an inner > method for PEAP has been supported for years with following: > > eap=PEAP > phase2="auth=TLS" > [snipped] > > Sure, this is different compared to the EAP-TTLS special case, but the > special case is on the EAP-TTLS side (both EAP and non-EAP inner > methods) and not on PEAP (only EAP inner methods). Thank you for showing me this, I can confirm it works perfectly for me, now I am surprised I missed this. Please drop this patch from consideration. Kind Regards
diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c index 7c3704369..7bcba4de2 100644 --- a/src/eap_peer/eap_peap.c +++ b/src/eap_peer/eap_peap.c @@ -146,13 +146,29 @@ static void * eap_peap_init(struct eap_sm *sm) if (config && config->phase1) eap_peap_parse_phase1(data, config->phase1); - if (eap_peer_select_phase2_methods(config, "auth=", - &data->phase2_types, - &data->num_phase2_types, 0) < 0) { + if (os_strstr(config->phase2, "auth=") && os_strstr(config->phase2, "autheap=")) { + wpa_printf(MSG_ERROR, + "EAP-PEAP: Both auth= and autheap= params cannot be specified"); eap_peap_deinit(sm, data); return NULL; } + if (os_strstr(config->phase2, "auth=")) { + if (eap_peer_select_phase2_methods(config, "auth=", + &data->phase2_types, + &data->num_phase2_types, 0) < 0) { + eap_peap_deinit(sm, data); + return NULL; + } + } else { + if (eap_peer_select_phase2_methods(config, "autheap=", + &data->phase2_types, + &data->num_phase2_types, 0) < 0) { + eap_peap_deinit(sm, data); + return NULL; + } + } + data->phase2_type.vendor = EAP_VENDOR_IETF; data->phase2_type.method = EAP_TYPE_NONE;
PEAP supports using EAP-TLS as the inner method (often referred to as PEAP-TLS or PEAP-EAP-TLS in the literature). This patch exposes the hooks that enable this to be configured and used by wpa_supplicant/eapol_test. This patch came about during TLSv1.3 interop testing between FreeRADIUS and Microsoft leading to fixing up support for PEAP-TLS in both FreeRADIUS and this hostap patch. Changes since: v1: included commit message with submission; no code change Signed-off-by: Alexander Clouter <alex@digriz.org.uk> --- src/eap_peer/eap_peap.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-)