Added virtual server support

To make it simpler, and like the rest of the system

diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 35441e2f0569bb53691143438f522e69d44abd6c..6cc2eea03c2049501592cf5c27e39aaf37e5a2b8 100644 (file)
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -79,11 +79,21 @@
                # EAP-pwd -- secure password-based authentication
                #
                pwd {
-                   group = 19
-                   #
-                   server_id = theserver@example.com
-                   #
-                   fragment_size = 1020
+                       group = 19
+
+                       #
+                       server_id = theserver@example.com
+
+                       #  This has the same meaning as for TLS.
+                       fragment_size = 1020
+
+                       # The virtual server which determines the 
+                       # "known good" password for the user.
+                       # Note that unlike TLS, only the "authorize"
+                       # section is processed.  EAP-PWD requests can be
+                       # distinguished by having a User-Name, but
+                       # no User-Password, CHAP-Password, EAP-Message, etc.
+                       virtual_server = "inner-tunnel"
                }
 
                # Cisco LEAP

diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c
index 1b6b7e3c7e241008507903de79ac2bd60a187028..e467daec95724713cb0d0d4ee1b24fdd30d48589 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c
@@ -50,6 +50,8 @@ static CONF_PARSER pwd_module_config[] = {
       offsetof(EAP_PWD_CONF, fragment_size), NULL, "1020"},
     { "server_id", PW_TYPE_STRING_PTR,
       offsetof(EAP_PWD_CONF, server_id), NULL, NULL },
+    { "virtual_server", PW_TYPE_STRING_PTR,
+      offsetof(EAP_PWD_CONF, virtual_server), NULL, NULL },
     { NULL, -1, 0, NULL, NULL }
 };
 
@@ -301,7 +303,7 @@ eap_pwd_authenticate (void *arg, EAP_HANDLER *handler)
     pwd_id_packet *id;
     EAP_PACKET *response;
     REQUEST *request, *fake;
-    VALUE_PAIR *pw, **outvps;
+    VALUE_PAIR *pw, **outvps, *vp;
     EAP_DS *eap_ds;
     int len, ret = 0;
     eap_pwd_t *inst = (eap_pwd_t *)arg;
@@ -443,7 +445,42 @@ eap_pwd_authenticate (void *arg, EAP_HANDLER *handler)
                    pwd_session->peer_id_len);
             fake->username->length = pwd_session->peer_id_len;
             fake->username->vp_strvalue[fake->username->length] = 0;
-            module_authorize(0, fake);
+
+           if ((vp = pairfind(request->config_items, PW_VIRTUAL_SERVER, 0)) != NULL) {
+                   fake->server = vp->vp_strvalue;
+                   
+           } else if (inst->conf->virtual_server) {
+                   fake->server = inst->conf->virtual_server;
+                   
+           } /* else fake->server == request->server */
+           
+           if ((debug_flag > 0) && fr_log_fp) {
+                   RDEBUG("Sending tunneled request");
+                   
+                   debug_pair_list(fake->packet->vps);
+                   
+                   fprintf(fr_log_fp, "server %s {\n",
+                           (fake->server == NULL) ? "" : fake->server);
+           }
+           
+           /*
+            *  Call authorization recursively, which will
+            *  get the password.
+            */
+           module_authorize(0, fake);
+           
+           /*
+            *  Note that we don't do *anything* with the reply
+            *  attributes.
+            */
+           if ((debug_flag > 0) && fr_log_fp) {
+                   fprintf(fr_log_fp, "} # server %s\n",
+                           (fake->server == NULL) ? "" : fake->server);
+                   
+                   RDEBUG("Got tunneled reply code %d", fake->reply->code);
+                   
+                   debug_pair_list(fake->reply->vps);
+           }
 
             if ((pw = pairfind(fake->config_items, PW_CLEARTEXT_PASSWORD, 0)) == NULL) {
                 DEBUG2("failed to find password for %s to do pwd authentication",

diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h b/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h
index 70cedd5bc02aeb49042adce8911df8819bdbab29..e229f95d18413f8cfdf7e9684a042a3a878f4436 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.h
@@ -43,6 +43,7 @@ typedef struct eap_pwd_conf {
     int group;
     int fragment_size;
     char *server_id;
+    char *virtual_server;
 } EAP_PWD_CONF;
 
 typedef struct _eap_pwd_t {