Add require_client_cert options to EAP-PEAP/TTLS

This is a replacement for having to set
EAP-TLS-Require-Client-Cert, although that can still be used.

diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 0ac360e64697932b69bcff17f3b2db4fdda70b97..9bef0c55ba259ff7ce6f3f8d7d80d4fdc472ba33 100644 (file)
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -532,13 +532,6 @@ eap {
        #
        #  Surprisingly, it works quite well.
        #
-       #  EAP-TTLS does not normally require a client certificate,
-       #  but you can make it require one by setting
-       #
-       #       EAP-TLS-Require-Client-Cert = Yes
-       #
-       #  in the control items for a request.
-       #
        ttls {
                #  Which tls-config section the TLS negotiation parameters
                #  are in - see EAP-TLS above for an explanation.
@@ -605,6 +598,18 @@ eap {
                #  The default value here is "yes".
                #
        #       include_length = yes
+
+               #
+               # Unlike EAP-TLS, EAP-TTLS does not require a client
+               # certificate. However, you can require one by setting the
+               # following option. You can also override this option by
+               # setting
+               #
+               #       EAP-TLS-Require-Client-Cert = Yes
+               #
+               # in the control items for a request.
+               #
+       #       require_client_cert = yes
        }
 
 
@@ -651,13 +656,6 @@ eap {
        #  EAP module.  Inside of the TLS/PEAP tunnel, we
        #  recommend using EAP-MS-CHAPv2.
        #
-       #  Unlike EAP-TLS, PEAP does not require a client certificate.
-       #  However, you can require one by setting
-       #
-       #       EAP-TLS-Require-Client-Cert = Yes
-       #
-       #  in the control items for a request.
-       #
        peap {
                #  Which tls-config section the TLS negotiation parameters
                #  are in - see EAP-TLS above for an explanation.
@@ -715,6 +713,17 @@ eap {
                # can be sent to a specific virtual server:
                #
        #       soh_virtual_server = "soh-server"
+
+               #
+               # Unlike EAP-TLS, PEAP does not require a client certificate.
+               # However, you can require one by setting the following
+               # option. You can also override this option by setting
+               #
+               #       EAP-TLS-Require-Client-Cert = Yes
+               #
+               # in the control items for a request.
+               #
+       #       require_client_cert = yes
        }
 
        #

diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c
index 72ebcdc57cdba55bc0956b09d8ba42bac03a7b5b..5da93e594ca11cac20f4a08277c8424a0ef56c79 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c
+++ b/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c
@@ -70,6 +70,11 @@ typedef struct rlm_eap_peap_t {
         */
        int     soh;
        char    *soh_virtual_server;
+
+       /*
+        *      Do we do require a client cert?
+        */
+       int     req_client_cert;
 } rlm_eap_peap_t;
 
 
@@ -97,6 +102,9 @@ static CONF_PARSER module_config[] = {
        { "soh", PW_TYPE_BOOLEAN,
          offsetof(rlm_eap_peap_t, soh), NULL, "no" },
 
+       { "require_client_cert", PW_TYPE_BOOLEAN,
+         offsetof(rlm_eap_peap_t, req_client_cert), NULL, "no" },
+
        { "soh_virtual_server", PW_TYPE_STRING_PTR,
          offsetof(rlm_eap_peap_t, soh_virtual_server), NULL, NULL },
 
@@ -227,8 +235,12 @@ static int eappeap_initiate(void *type_arg, EAP_HANDLER *handler)
 
        /*
         *      Check if we need a client certificate.
-        *
-        *      FIXME: This should be more configurable.
+        */
+       client_cert = inst->req_client_cert;
+
+       /*
+        * EAP-TLS-Require-Client-Cert attribute will override
+        * the require_client_cert configuration option.
         */
        vp = pairfind(handler->request->config_items,
                      PW_EAP_TLS_REQUIRE_CLIENT_CERT, 0);

diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
index c8fff33b5b0aa45e11934602315fef14577d9711..023749a5e9bfbc56908aa2e32ab9113de0561f24 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
@@ -68,6 +68,11 @@ typedef struct rlm_eap_ttls_t {
         *      Virtual server for inner tunnel session.
         */
        char    *virtual_server;
+
+       /*
+        *      Do we do require a client cert?
+        */
+       int     req_client_cert;
 } rlm_eap_ttls_t;
 
 
@@ -90,6 +95,9 @@ static CONF_PARSER module_config[] = {
        { "include_length", PW_TYPE_BOOLEAN,
          offsetof(rlm_eap_ttls_t, include_length), NULL, "yes" },
 
+       { "require_client_cert", PW_TYPE_BOOLEAN,
+         offsetof(rlm_eap_ttls_t, req_client_cert), NULL, "no" },
+
        { NULL, -1, 0, NULL, NULL }           /* end the list */
 };
 
@@ -214,8 +222,12 @@ static int eapttls_initiate(void *type_arg, EAP_HANDLER *handler)
 
        /*
         *      Check if we need a client certificate.
-        *
-        *      FIXME: This should be more configurable.
+        */
+       client_cert = inst->req_client_cert;
+
+       /*
+        * EAP-TLS-Require-Client-Cert attribute will override
+        * the require_client_cert configuration option.
         */
        vp = pairfind(handler->request->config_items,
                      PW_EAP_TLS_REQUIRE_CLIENT_CERT, 0);