EAP-TLS with different CA per user?

[Alan DeKok]

Frank Sweetser wrote:
> The usernames currently don't have a domain portion.  Would it be possible for
> me to set a default domain for a given username?  (The list is small, so would
> be manageable for me.)  And if so, could you give me at least a rough example
> of how I would set this up?

  You can configure two different versions of the EAP module.  Each one
has it's own server cert && CA.  Then, in the "authorize" section, do:

authorize {
	...
	if (User-Name == "user1") {
		eap_1
	}
	elsif (User-Name == "user2") {
		eap_2
	}
	...

}

authenticate {
	...
	eap_1
	eap_2
	...
}

  That should work.

  Alan DeKok.