[PATCH v2] PEAP peer: allow autheap for EAP-TLS phase2 support

Alexander Clouter alex at digriz.org.uk
Fri Dec 4 13:02:25 EST 2020 

Hello,

Any thoughts on this patch?

Last time there was a question of if there was any need for it, but no one could explain how to do PEAP with the inner method EAP-TLS with wpa_supplicant/eapol_test otherwise.

Though PEAP with EAP-TLS is somewhat pointless since Microsoft killed SoH[1] in Windows 10, some users of FreeRADIUS still use wish to use it.

Regards

Alex

[1] https://docs.microsoft.com/en-us/windows/win32/nap/network-access-protection-start-page

On Fri, 16 Oct 2020, at 09:31, Alexander Clouter wrote:
> PEAP supports using EAP-TLS as the inner method (often referred to as
> PEAP-TLS or PEAP-EAP-TLS in the literature). This patch exposes the hooks
> that enable this to be configured and used by wpa_supplicant/eapol_test.
> 
> This patch came about during TLSv1.3 interop testing between FreeRADIUS and
> Microsoft leading to fixing up support for PEAP-TLS in both FreeRADIUS and
> this hostap patch.
> 
> Changes since:
>  v1: included commit message with submission; no code change
> 
> Signed-off-by: Alexander Clouter <alex at digriz.org.uk>
> 
> ---
>  src/eap_peer/eap_peap.c | 22 +++++++++++++++++++---
>  1 file changed, 19 insertions(+), 3 deletions(-)
> 
> diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
> index 7c3704369..7bcba4de2 100644
> --- a/src/eap_peer/eap_peap.c
> +++ b/src/eap_peer/eap_peap.c
> @@ -146,13 +146,29 @@ static void * eap_peap_init(struct eap_sm *sm)
>  	if (config && config->phase1)
>  		eap_peap_parse_phase1(data, config->phase1);
>  
> -	if (eap_peer_select_phase2_methods(config, "auth=",
> -					   &data->phase2_types,
> -					   &data->num_phase2_types, 0) < 0) {
> +	if (os_strstr(config->phase2, "auth=") && os_strstr(config->phase2, 
> "autheap=")) {
> +		wpa_printf(MSG_ERROR,
> +			   "EAP-PEAP: Both auth= and autheap= params cannot be specified");
>  		eap_peap_deinit(sm, data);
>  		return NULL;
>  	}
>  
> +        if (os_strstr(config->phase2, "auth=")) {
> +		if (eap_peer_select_phase2_methods(config, "auth=",
> +						   &data->phase2_types,
> +						   &data->num_phase2_types, 0) < 0) {
> +			eap_peap_deinit(sm, data);
> +			return NULL;
> +		}
> +	} else {
> +		if (eap_peer_select_phase2_methods(config, "autheap=",
> +						   &data->phase2_types,
> +						   &data->num_phase2_types, 0) < 0) {
> +			eap_peap_deinit(sm, data);
> +			return NULL;
> +		}
> +	}
> +
>  	data->phase2_type.vendor = EAP_VENDOR_IETF;
>  	data->phase2_type.method = EAP_TYPE_NONE;
>  
> -- 
> 2.20.1
> 
>

-- 
Alexander Clouter

More information about the Hostap mailing list