complain if we get TEAP inside of TEAP

FreeRADIUS · Dec 11, 2024 · fb16acc · fb16acc
1 parent b36fea2
commit fb16acc
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
@@ -1163,8 +1163,14 @@ eap {
 		#
 		#  The values for those attributes are the same as for EAP-Type.
 		#
-	#	user_eap_type = mschapv2
-	#	machine_eap_type = tls
+		#  Note that if you try to use "EAP-Type := TEAP" in the
+		#  "inner-tunnel" virtual server, it will not work.
+		#
+		#  Supported authentication methods inside of TEAP are
+		#  EAP-TLS, EAP-MSCHAPv2, and PAP.
+		#
+#		user_eap_type = mschapv2
+#		machine_eap_type = tls
 
 		#  If 'cipher_list' is set here, it will over-ride the
 		#  'cipher_list' configuration from the 'tls-common'

diff --git a/src/modules/rlm_eap/types/rlm_eap_teap/rlm_eap_teap.c b/src/modules/rlm_eap/types/rlm_eap_teap/rlm_eap_teap.c
@@ -184,7 +184,7 @@ static int mod_instantiate(CONF_SECTION *cs, void **instance)
 
 			} else {
 			invalid_identity:
-				cf_log_err_cs(cs, "Invalid value in identity_types = '%s' %s",
+				cf_log_err_cs(cs, "Invalid value in identity_types = '%s' at %s",
 					      inst->identity_type_name, p);
 				return -1;
 			}
@@ -245,6 +245,14 @@ static int mod_session_init(void *type_arg, eap_handler_t *handler)
 
 	handler->tls = true;
 
+	if (request->parent) {
+		RWDEBUG("----------------------------------------------------------------------");
+		RWDEBUG("You have configured TEAP to run inside of TEAP.  THIS WILL NOT WORK.");
+		RWDEBUG("Supported inner methods for TEAP are EAP-TLS, EAP-MSCHAPv2, and PAP.");
+		RWDEBUG("Other methods may work, but are not actively supported.");
+		RWDEBUG("----------------------------------------------------------------------");
+	}
+
 	/*
 	 *	Check if we need a client certificate.
 	 */