start of peapv1

[freeradius.git] / src / modules / rlm_eap / types / rlm_eap_peap / rlm_eap_peap.c

diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c
index 1fd30ce..5bf7c96 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c
+++ b/src/modules/rlm_eap/types/rlm_eap_peap/rlm_eap_peap.c
@@ -31,6 +31,7 @@ typedef struct rlm_eap_peap_t {
        char const *default_method_name;        //!< Default tunneled EAP type.
        int default_method;
 
+       char const *inner_eap_module;           //!< module name for inner EAP
        int auth_type_eap;
        bool use_tunneled_reply;                //!< Use the reply attributes from the tunneled session in
                                                //!< the non-tunneled reply to the client.
@@ -54,6 +55,8 @@ static CONF_PARSER module_config[] = {
 
        { "default_eap_type", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_peap_t, default_method_name), "mschapv2" },
 
+       { "inner_eap_module", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_peap_t, inner_eap_module), NULL },
+
        { "copy_request_to_tunnel", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_peap_t, copy_request_to_tunnel), "no" },
 
        { "use_tunneled_reply", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_peap_t, use_tunneled_reply), "no" },
@@ -119,12 +122,19 @@ static int mod_instantiate(CONF_SECTION *cs, void **instance)
                return -1;
        }
 
-       dv = dict_valbyname(PW_AUTH_TYPE, 0, "eap");
+       /*
+        *      Don't expose this if we don't need it.
+        */
+       if (!inst->inner_eap_module) inst->inner_eap_module = "eap";
+
+       dv = dict_valbyname(PW_AUTH_TYPE, 0, inst->inner_eap_module);
        if (!dv) {
-               cf_log_err_cs(cs, "Failed to find 'Auth-Type mschap' section.  Cannot authenticate users.");
-               return -1;
+               WARN("Failed to find 'Auth-Type %s' section in virtual server %s.  The server cannot proxy inner-tunnel EAP packets.",
+                    inst->inner_eap_module, inst->virtual_server);
+       } else {
+               inst->auth_type_eap = dv->value;
        }
-       inst->auth_type_eap = dv->value;
+
        return 0;
 }
 
@@ -252,6 +262,13 @@ static int mod_process(void *arg, eap_handler_t *handler)
                peap = tls_session->opaque = peap_alloc(tls_session, inst);
        }
 
+       /*
+        *      Negotiate PEAP versions down.
+        */
+       if ((handler->eap_ds->response->type.data[0] & 0x03) < tls_session->peap_flag) {
+               tls_session->peap_flag = handler->eap_ds->response->type.data[0] & 0x03;
+       }
+
        status = eaptls_process(handler);
        if ((status == FR_TLS_INVALID) || (status == FR_TLS_FAIL)) {
                REDEBUG("[eaptls process] = %s", fr_int2str(fr_tls_status_table, status, "<INVALID>"));