Provide facility to enable/disable EAP types

33d8503d · Jonathan Gazeley · 8b97e7cb · 33d8503d · 33d8503d
Commit 33d8503d authored Mar 13, 2017 by Jonathan Gazeley
--- a/manifests/module/eap.pp
+++ b/manifests/module/eap.pp
@@ -67,6 +67,10 @@ define freeradius::module::eap (
  Optional[Freeradius::Boolean] $peap_require_client_cert           = undef,
  Optional[Freeradius::Boolean] $mschapv2_send_error                = undef,
  Optional[String] $mschapv2_identity                               = undef,
+  Boolean $eap_md5                                                  = true,
+  Boolean $eap_leap                                                 = true,
+  Boolean $eap_gtc                                                  = true,
+  Boolean $eap_peap                                                 = true,
 ) {

  freeradius::module{$name:

--- a/templates/eap.erb
+++ b/templates/eap.erb
@@ -65,6 +65,7 @@ eap {

  # Supported EAP-types

+<%- if @eap_md5 -%>
  #
  #  We do NOT recommend using EAP-MD5 authentication
  #  for wireless connections.  It is insecure, and does
@@ -72,6 +73,7 @@ eap {
  #
  md5 {
  }
+<%- end -%>

  #
  # EAP-pwd -- secure password-based authentication
@@ -108,6 +110,7 @@ eap {
   }
 <%- end -%>

+<%- if @eap_leap -%>
  # Cisco LEAP
  #
  #  We do not recommend using LEAP in new deployments.  See:
@@ -122,7 +125,9 @@ eap {
  #
  leap {
  }
+<%- end -%>

+<%- if @eap_gtc -%>
  #  Generic Token Card.
  #
  #  Currently, this is only permitted inside of EAP-TTLS,
@@ -156,6 +161,7 @@ eap {
    #
    auth_type = <%= @gtc_auth_type %>
  }
+<%- end -%>

  ## Common TLS configuration for TLS-based EAP types
  #
@@ -755,7 +761,7 @@ eap {
 <%- end -%>
  }

-
+<%- if @eap_peap -%>
  ## EAP-PEAP
  #

@@ -891,7 +897,8 @@ eap {
 <%- if @peap_require_client_cert -%>
    require_client_cert = <%= @peap_require_client_cert %>
 <%- end -%>
-  }
+}
+<%- end -%>

  #
  #  This takes no configuration.