setting-8021x: Fix descriptions for phase2-auth & phase2-autheap

phase2-auth applies for EAP-TTLS and EAP-PEAP but the interpretation is
different for one than for the other, clarify the difference.
phase2-auth is for the non-EAP inner methods of EAP-TTLS but is also for
the EAP inner methods of EAP-PEAP.  EAP-PEAP doesn't use phase2-autheap
and doesn't support any non-EAP methods.

Given how complicated EAP configuration is it's likely that people just
use example configurations rather than look at the docs.  The example
configuration in man/nm-settings-keyfile.xsl is correct in using PEAP
together with phase2-auth=mschapv2.

[thaller@redhat.com: regenerate documentation files]

clients/cli/generate-docs-nm-settings-nmcli.xml.in

@@ -145,9 +145,9 @@
         <property name="phase1-auth-flags"
                   description="Specifies authentication flags to use in &quot;phase 1&quot; outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. See the wpa_supplicant documentation for more details." />
         <property name="phase2-auth"
-                  description="Specifies the allowed &quot;phase 2&quot; inner non-EAP authentication method when an EAP method that uses an inner TLS tunnel is specified in the &quot;eap&quot; property.  Recognized non-EAP &quot;phase 2&quot; methods are &quot;pap&quot;, &quot;chap&quot;, &quot;mschap&quot;, &quot;mschapv2&quot;, &quot;gtc&quot;, &quot;otp&quot;, &quot;md5&quot;, and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details." />
+                  description="Specifies the allowed &quot;phase 2&quot; inner authentication method when an EAP method that uses an inner TLS tunnel is specified in the &quot;eap&quot; property.  For TTLS this property selects one of the supported non-EAP inner methods: &quot;pap&quot;, &quot;chap&quot;, &quot;mschap&quot;, &quot;mschapv2&quot; while &quot;phase2-autheap&quot; selects an EAP inner method.  For PEAP this selects an inner EAP method, one of: &quot;gtc&quot;, &quot;otp&quot;, &quot;md5&quot; and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. Both &quot;phase2-auth&quot; and &quot;phase2-autheap&quot; cannot be specified." />
         <property name="phase2-autheap"
-                  description="Specifies the allowed &quot;phase 2&quot; inner EAP-based authentication method when an EAP method that uses an inner TLS tunnel is specified in the &quot;eap&quot; property.  Recognized EAP-based &quot;phase 2&quot; methods are &quot;md5&quot;, &quot;mschapv2&quot;, &quot;otp&quot;, &quot;gtc&quot;, and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details." />
+                  description="Specifies the allowed &quot;phase 2&quot; inner EAP-based authentication method when TTLS is specified in the &quot;eap&quot; property.  Recognized EAP-based &quot;phase 2&quot; methods are &quot;md5&quot;, &quot;mschapv2&quot;, &quot;otp&quot;, &quot;gtc&quot;, and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details." />
         <property name="phase2-ca-cert"
                   description="Contains the &quot;phase 2&quot; CA certificate if used by the EAP method specified in the &quot;phase2-auth&quot; or &quot;phase2-autheap&quot; properties. Certificate data is specified using a &quot;scheme&quot;; three are currently supported: blob, path and pkcs#11 URL. When using the blob scheme this property should be set to the certificate&apos;s DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string &quot;file://&quot; and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended. Note that enabling NMSetting8021x:system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory." />
         <property name="phase2-ca-cert-password"

clients/common/settings-docs.h.in

@@ -67,8 +67,8 @@
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_PEAPLABEL N_("Forces use of the new PEAP label during key derivation.  Some RADIUS servers may require forcing the new PEAP label to interoperate with PEAPv1.  Set to \"1\" to force use of the new PEAP label.  See the wpa_supplicant documentation for more details.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_PEAPVER N_("Forces which PEAP version is used when PEAP is set as the EAP method in the \"eap\" property.  When unset, the version reported by the server will be used.  Sometimes when using older RADIUS servers, it is necessary to force the client to use a particular PEAP version.  To do so, this property may be set to \"0\" or \"1\" to force that specific PEAP version.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES N_("List of strings to be matched against the altSubjectName of the certificate presented by the authentication server during the inner \"phase 2\" authentication. If the list is empty, no verification of the server certificate's altSubjectName is performed.")
-#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTH N_("Specifies the allowed \"phase 2\" inner non-EAP authentication method when an EAP method that uses an inner TLS tunnel is specified in the \"eap\" property.  Recognized non-EAP \"phase 2\" methods are \"pap\", \"chap\", \"mschap\", \"mschapv2\", \"gtc\", \"otp\", \"md5\", and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.")
-#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTHEAP N_("Specifies the allowed \"phase 2\" inner EAP-based authentication method when an EAP method that uses an inner TLS tunnel is specified in the \"eap\" property.  Recognized EAP-based \"phase 2\" methods are \"md5\", \"mschapv2\", \"otp\", \"gtc\", and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.")
+#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTH N_("Specifies the allowed \"phase 2\" inner authentication method when an EAP method that uses an inner TLS tunnel is specified in the \"eap\" property.  For TTLS this property selects one of the supported non-EAP inner methods: \"pap\", \"chap\", \"mschap\", \"mschapv2\" while \"phase2-autheap\" selects an EAP inner method.  For PEAP this selects an inner EAP method, one of: \"gtc\", \"otp\", \"md5\" and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. Both \"phase2-auth\" and \"phase2-autheap\" cannot be specified.")
+#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTHEAP N_("Specifies the allowed \"phase 2\" inner EAP-based authentication method when TTLS is specified in the \"eap\" property.  Recognized EAP-based \"phase 2\" methods are \"md5\", \"mschapv2\", \"otp\", \"gtc\", and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT N_("Contains the \"phase 2\" CA certificate if used by the EAP method specified in the \"phase2-auth\" or \"phase2-autheap\" properties. Certificate data is specified using a \"scheme\"; three are currently supported: blob, path and pkcs#11 URL. When using the blob scheme this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string \"file://\" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended. Note that enabling NMSetting8021x:system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD N_("The password used to access the \"phase2\" CA certificate stored in \"phase2-ca-cert\" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS N_("Flags indicating how to handle the \"phase2-ca-cert-password\" property.")

libnm-core/nm-setting-8021x.c

@@ -3998,19 +3998,24 @@ nm_setting_802_1x_class_init(NMSetting8021xClass *klass)
     /**
      * NMSetting8021x:phase2-auth:
      *
-     * Specifies the allowed "phase 2" inner non-EAP authentication method when
-     * an EAP method that uses an inner TLS tunnel is specified in the
-     * #NMSetting8021x:eap property.  Recognized non-EAP "phase 2" methods are
-     * "pap", "chap", "mschap", "mschapv2", "gtc", "otp", "md5", and "tls".
+     * Specifies the allowed "phase 2" inner authentication method when an EAP
+     * method that uses an inner TLS tunnel is specified in the #NMSetting8021x:eap
+     * property.  For TTLS this property selects one of the supported non-EAP
+     * inner methods: "pap", "chap", "mschap", "mschapv2" while
+     * #NMSetting8021x:phase2-autheap selects an EAP inner method.  For PEAP
+     * this selects an inner EAP method, one of: "gtc", "otp", "md5" and "tls".
      * Each "phase 2" inner method requires specific parameters for successful
      * authentication; see the wpa_supplicant documentation for more details.
+     * Both #NMSetting8021x:phase2-auth and #NMSetting8021x:phase2-autheap cannot
+     * be specified.
      **/
     /* ---ifcfg-rh---
      * property: phase2-auth
      * variable: IEEE_8021X_INNER_AUTH_METHODS(+)
      * values: "PAP", "CHAP", "MSCHAP", "MSCHAPV2", "GTC", "OTP", "MD5" and "TLS"
-     * description: Inner non-EAP authentication methods. IEEE_8021X_INNER_AUTH_METHODS
-     *   can contain values both for 'phase2-auth' and 'phase2-autheap' properties.
+     * description: Inner non-EAP authentication methods for TTLS or the inner EAP
+     *   authentication method for PEAP. IEEE_8021X_INNER_AUTH_METHODS can contain
+     *   values both for 'phase2-auth' and 'phase2-autheap' properties.
      * example: IEEE_8021X_INNER_AUTH_METHODS=PAP
      * ---end---
      */
@@ -4025,11 +4030,11 @@ nm_setting_802_1x_class_init(NMSetting8021xClass *klass)
      * NMSetting8021x:phase2-autheap:
      *
      * Specifies the allowed "phase 2" inner EAP-based authentication method
-     * when an EAP method that uses an inner TLS tunnel is specified in the
-     * #NMSetting8021x:eap property.  Recognized EAP-based "phase 2" methods are
-     * "md5", "mschapv2", "otp", "gtc", and "tls". Each "phase 2" inner method
-     * requires specific parameters for successful authentication; see the
-     * wpa_supplicant documentation for more details.
+     * when TTLS is specified in the #NMSetting8021x:eap property.  Recognized
+     * EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc", and
+     * "tls". Each "phase 2" inner method requires specific parameters for
+     * successful authentication; see the wpa_supplicant documentation for
+     * more details.
      **/
     /* ---ifcfg-rh---
      * property: phase2-autheap