Is WLAN IEEE802.1x EAP-TLS authentication with ESSID selection possible?

Ulf Leichsenring ulf at leichsenring.net
Wed Apr 1 13:43:30 CEST 2009 

Hi FreeRADIUS user community

I'm in search for some ideas for the following situation:

Given are several WLANS controlled by a Siemens Hipath C2400 WLAN
Controller with Siemens APs. The controller provides different WLANs
identified by different ESSIDs. All WLAN Clients use IEEE802.1x
authentication with EAP-TLS and client certificates.
The authentication is done by FreeRADIUS 1.0.1 on Redhat EL AS4.

At the moment, all clients use certificates and inside the FreeRADIUS
eap-tls section the ca certificates are trusted.
All Windows clients use a MS CA an have certificates with the Windows
system name as the certificates common name. Other devices like mobile
scanners or WLAN mobile phones (VoIP) have manually generated
certificates with the device type as the certificates common name like
"phone", "mobile scanner" or else.
So long, it works.

But now I was asked if it is possible to restrict the association of
several device types to defined ESSIDs. There shoul be a WLAN "office"
where all devices are allowed to connect if they have a valid certificate.
Other ESSIDs should only accept special devices, eg. only devices with
the certificates common name "phone" should be allowed to connect to the
ESSID "voice".

I know, the Siemens controller is able to send the ESSID the device is
trying to connect inside the RADIUS request as vendor specific attribute.

Is it possible with FreeRADIUS to match these requirements? To select
based on the ESSID the device is connecting to?
If the connecting ESSID is "office", all devices with a valid
certificate are allowed to connect.
If the ESSID is "voice", only devices with a valid certificate and with
a certificates common name that contains "*phone*" are allowed to connect.
If the ESSID is "production-1", only devices with a valid certificate
and with a certificates common name that contains "*mobile scanner*" are
allowed to connect.

I've googled a lot, without success. All Freeradius documentation I've
found about eap-tls only descibes how to accept all devices with a valid
certificate.
I've seen this scenario running with commercial RADIUS servers but I
guess it might also be possible using FreeRADIUS.

Any tip oder idea is welcome.

-- 
Ulf Leichsenring
ulf at leichsenring.net

More information about the Freeradius-Users mailing list