Bug 53263 - Broken Config when switching to auth-type ttls
Summary: Broken Config when switching to auth-type ttls
Status: NEW
Alias: None
Product: UCS
Classification: Unclassified
Component: Radius
Version: UCS 4.4
Hardware: Other Linux
: P5 normal
Target Milestone: ---
Assignee: UCS maintainers
QA Contact: UCS maintainers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-17 09:11 CEST by Raoul Borenius
Modified: 2024-11-28 15:58 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.057
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Raoul Borenius 2021-05-17 09:11:26 CEST 
Setting

ucr set freeradius/conf/auth-type/mschap=no
ucr set freeradius/conf/auth-type/ttls=yes

creates a broken config:

freeradius[7651]: /etc/freeradius/3.0/mods-enabled/eap[831]: Failed to find 'Auth-Type MS-CHAP' section.  Cannot authenticate users.

Fix:

--- /etc/univention/templates/files/etc/freeradius/3.0/mods-available/eap.orig  2020-11-24 19:45:21.000000000 +0100
+++ /etc/univention/templates/files/etc/freeradius/3.0/mods-available/eap       2021-05-16 16:24:20.532854512 +0200
@@ -860,7 +860,13 @@
        #  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
        #  currently support.
        #
-       mschapv2 {
+@!@
+auth_type = configRegistry.get('freeradius/conf/auth-type/mschap', 'FALSE')
+if auth_type and 'TRUE' == auth_type.upper() or 'YES' == auth_type.upper():
+       print('\t mschapv2 {')
+else:
+       print('\t# mschapv2 {')
+@!@
                #  Prior to version 2.1.11, the module never
                #  sent the MS-CHAP-Error message to the
                #  client.  This worked, but it had issues
@@ -884,7 +890,13 @@
                #  RADIUS server.  Or, some information to uniquely
                #  identify it.
 #              identity = "FreeRADIUS"
-       }
+@!@
+auth_type = configRegistry.get('freeradius/conf/auth-type/mschap', 'FALSE')
+if auth_type and 'TRUE' == auth_type.upper() or 'YES' == auth_type.upper():
+       print('\t}')
+else:
+       print('\t# }')
+@!@
 
        ## EAP-FAST
        #