Reworking the EAP CN matching option from admin options to extended options

src/Cedar/Hub.c

@@ -45,7 +45,6 @@ static bool g_vgs_emb_tag = false;
 ADMIN_OPTION admin_options[] =
 {
 	{"allow_hub_admin_change_option", 0},
-	{"allow_eap_tls_match_user_by_cert", 0},
 	{"max_users", 0},
 	{"max_multilogins_per_user", 0},
 	{"max_groups", 0},
@@ -617,6 +616,7 @@ void DataToHubOptionStruct(HUB_OPTION *o, RPC_ADMIN_OPTION *ao)
 	GetHubAdminOptionDataAndSet(ao, "NoPhysicalIPOnPacketLog", o->NoPhysicalIPOnPacketLog);
 	GetHubAdminOptionDataAndSet(ao, "UseHubNameAsDhcpUserClassOption", o->UseHubNameAsDhcpUserClassOption);
 	GetHubAdminOptionDataAndSet(ao, "UseHubNameAsRadiusNasId", o->UseHubNameAsRadiusNasId);
+	GetHubAdminOptionDataAndSet(ao, "AllowEapMatchUserByCert", o->AllowEapMatchUserByCert);
 }
 
 // Convert the contents of the HUB_OPTION to data
@@ -691,6 +691,7 @@ void HubOptionStructToData(RPC_ADMIN_OPTION *ao, HUB_OPTION *o, char *hub_name)
 	Add(aol, NewAdminOption("NoPhysicalIPOnPacketLog", o->NoPhysicalIPOnPacketLog));
 	Add(aol, NewAdminOption("UseHubNameAsDhcpUserClassOption", o->UseHubNameAsDhcpUserClassOption));
 	Add(aol, NewAdminOption("UseHubNameAsRadiusNasId", o->UseHubNameAsRadiusNasId));
+	Add(aol, NewAdminOption("AllowEapMatchUserByCert", o->AllowEapMatchUserByCert));
 
 	Zero(ao, sizeof(RPC_ADMIN_OPTION));
 

src/Cedar/Hub.h

@@ -182,6 +182,7 @@ struct HUB_OPTION
 	bool NoPhysicalIPOnPacketLog;		// Disable saving physical IP address on the packet log
 	bool UseHubNameAsDhcpUserClassOption;	// Add HubName to DHCP request as User-Class option
 	bool UseHubNameAsRadiusNasId;		// Add HubName to Radius request as NAS-Identifier attrioption
+	bool AllowEapMatchUserByCert;		// Allow matching EAP Identity with user certificate CNs
 };
 
 // MAC table entry

src/Cedar/Proto_PPP.c

@@ -1295,7 +1295,7 @@ bool PPPProcessEAPResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req
 				AcLock(hub);
 				{
 					USER *user = AcGetUser(hub, p->Eap_Identity.UserName);
-					if (user == NULL && GetHubAdminOption(hub, "allow_eap_tls_match_user_by_cert") == true)
+					if (user == NULL && hub->Option->AllowEapMatchUserByCert == true)
 					{
 						user = AcGetUserByCert(hub, p->Eap_Identity.UserName);
 						if (user != NULL)

src/Cedar/Server.c

@@ -3932,6 +3932,7 @@ void SiLoadHubOptionCfg(FOLDER *f, HUB_OPTION *o)
 	o->NoPhysicalIPOnPacketLog = CfgGetBool(f, "NoPhysicalIPOnPacketLog");
 	o->UseHubNameAsDhcpUserClassOption = CfgGetBool(f, "UseHubNameAsDhcpUserClassOption");
 	o->UseHubNameAsRadiusNasId = CfgGetBool(f, "UseHubNameAsRadiusNasId");
+	o->AllowEapMatchUserByCert = CfgGetBool(f, "AllowEapMatchUserByCert");
 
 	// Enabled by default
 	if (CfgIsItem(f, "ManageOnlyPrivateIP"))
@@ -4037,6 +4038,7 @@ void SiWriteHubOptionCfg(FOLDER *f, HUB_OPTION *o)
 	CfgAddBool(f, "DisableCorrectIpOffloadChecksum", o->DisableCorrectIpOffloadChecksum);
 	CfgAddBool(f, "UseHubNameAsDhcpUserClassOption", o->UseHubNameAsDhcpUserClassOption);
 	CfgAddBool(f, "UseHubNameAsRadiusNasId", o->UseHubNameAsRadiusNasId);
+	CfgAddBool(f, "AllowEapMatchUserByCert", o->AllowEapMatchUserByCert);
 }
 
 // Write the user
@@ -7521,6 +7523,7 @@ void SiCalledUpdateHub(SERVER *s, PACK *p)
 	o.DisableCorrectIpOffloadChecksum = PackGetBool(p, "DisableCorrectIpOffloadChecksum");
 	o.UseHubNameAsDhcpUserClassOption = PackGetBool(p, "UseHubNameAsDhcpUserClassOption");
 	o.UseHubNameAsRadiusNasId = PackGetBool(p, "UseHubNameAsRadiusNasId");
+	o.AllowEapMatchUserByCert = PackGetBool(p, "AllowEapMatchUserByCert");
 
 	save_packet_log = PackGetInt(p, "SavePacketLog");
 	packet_log_switch_type = PackGetInt(p, "PacketLogSwitchType");
@@ -9355,6 +9358,7 @@ void SiPackAddCreateHub(PACK *p, HUB *h)
 	PackAddData(p, "SecurePassword", h->SecurePassword, SHA1_SIZE);
 	PackAddBool(p, "UseHubNameAsDhcpUserClassOption", h->Option->UseHubNameAsDhcpUserClassOption);
 	PackAddBool(p, "UseHubNameAsRadiusNasId", h->Option->UseHubNameAsRadiusNasId);
+	PackAddBool(p, "AllowEapMatchUserByCert", h->Option->AllowEapMatchUserByCert);
 
 	SiAccessListToPack(p, h->AccessList);