Provide facility to enable/disable EAP types

djjudas21 · Mar 13, 2017 · 33d8503 · 33d8503
1 parent 8b97e7c
commit 33d8503
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/manifests/module/eap.pp b/manifests/module/eap.pp
@@ -67,6 +67,10 @@
   Optional[Freeradius::Boolean] $peap_require_client_cert           = undef,
   Optional[Freeradius::Boolean] $mschapv2_send_error                = undef,
   Optional[String] $mschapv2_identity                               = undef,
+  Boolean $eap_md5                                                  = true,
+  Boolean $eap_leap                                                 = true,
+  Boolean $eap_gtc                                                  = true,
+  Boolean $eap_peap                                                 = true,
 ) {
 
   freeradius::module{$name:

diff --git a/templates/eap.erb b/templates/eap.erb
@@ -65,13 +65,15 @@ eap {
 
   # Supported EAP-types
 
+<%- if @eap_md5 -%>
   #
   #  We do NOT recommend using EAP-MD5 authentication
   #  for wireless connections.  It is insecure, and does
   #  not provide for dynamic WEP keys.
   #
   md5 {
   }
+<%- end -%>
 
   #
   # EAP-pwd -- secure password-based authentication
@@ -108,6 +110,7 @@ eap {
    }
 <%- end -%>
 
+<%- if @eap_leap -%>
   # Cisco LEAP
   #
   #  We do not recommend using LEAP in new deployments.  See:
@@ -122,7 +125,9 @@ eap {
   #
   leap {
   }
+<%- end -%>
 
+<%- if @eap_gtc -%>
   #  Generic Token Card.
   #
   #  Currently, this is only permitted inside of EAP-TTLS,
@@ -156,6 +161,7 @@ eap {
     #
     auth_type = <%= @gtc_auth_type %>
   }
+<%- end -%>
 
   ## Common TLS configuration for TLS-based EAP types
   #
@@ -755,7 +761,7 @@ eap {
 <%- end -%>
   }
 
-
+<%- if @eap_peap -%>
   ## EAP-PEAP
   #
 
@@ -891,7 +897,8 @@ eap {
 <%- if @peap_require_client_cert -%>
     require_client_cert = <%= @peap_require_client_cert %>
 <%- end -%>
-  }
+}
+<%- end -%>
 
   #
   #  This takes no configuration.