Red Hat Bugzilla – Bug 712903
EAP TNC modules is not compiled and enabled by default and does not have updated TNC patch.
Last modified: 2013-11-19 11:28:47 EST
Description of problem:
There are 2 issues related to EAP_TNC module in Freeradius:
1. Freeradius does not have EAP_TNC module compiled and enabled by default.
2. The current EAP TNC module code base in Freeradius is from an older release of tnc@fhh (http://trust.inform.fh-hannover.de ). tnc@fhh has an updated release 0.8.2 and updated code for TNC support in Freeradius.
I have created an updated patch for latest EAP TNC support in Freeradius. The patch does:
1. Enables compilation of EAP-TNC in Freeradius.
2. Updated EAP_TNC code
3. Support of 2 inner authentication methods with EAP-MD5 as the first inner method and EAP-TNC as the second method when used with EAP_TTLS.
The patch has been created from the latest release tncffh-0.8.2.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Created attachment 504466 [details]
updated EAP TNC patch for freeradius.
This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.
(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The process we are following is described here:
Reopening as this is required for TNC support in Fedora.
wpa_supplicant enables EAP_TNC bye default now, so just FYI.
I've been following your communication with Alan DeKok on freeradius-devel. Until such point as all the necessary patches are accepted upstream and are in upstreams git repo I see little point in enabling this by default in Fedora. The last email from Alan said he didn't think it works and knows little about TNC.
That means there is no maintainer for this code at the present time. To get this enabled by default in Fedora it's going to have to have some type of community support for it. I urge you to continue to work with upstream to get TNC into a stable state the rest of the FreeRADIUS developers and community accepts, then we can enable it in our builds.
You can always build an RPM with the module enabled if you want a private build, that's trivial.
Why did you set the priority to high? What is critical about it?
Upstream does not appear to be ready to maintain it so the question is who is going to maintain this if we enable it?
Created attachment 699571 [details]
TNC TTLS patch
This patch adds ability to do EAP_TNC inside TTLS as a second EAP (inner) method. It is dependent on the libnaaeap lib in tncfhh package.
Was the patch in comment #8 sent upstream? Do you have the git commit id from upstream?
I have not yet sent the patch to upstream, as I have done only preliminary testing. I want to test it with other pieces of tnc before sending upstream.
(In reply to comment #9)
> Was the patch in comment #8 sent upstream? Do you have the git commit id
> from upstream?
Could you please any feedback on the patch? As I am not an expert on freeradius code, so your valuable comments would be appreciated.
I have been working with freeradius upstream for getting the patch in. They have accepted the patch and upstream commit is here:
Here is the upstream commit
Could you please apply the patch now in fedora?
Created attachment 708447 [details]
Thsi patch fixes a regression in freeradius that prevents tnc to work.
Freeradius upstream code introduced a regression by not allowing messages more than 253 bytes. It caused tnc to fail as thc messages were more than 253 bytes. This patch has been tailrod for current freeradius v2 branch. There is upstream commit for freeradius master branch here:
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.
(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)
More information and reason for this action is here:
The FreeRADIUS 3.x packages now build rlm_eap_tnc