Alternate server certificate

Ivan Kalik tnt at kalik.net
Mon Jul 20 22:19:18 CEST 2009


> We have Access Points that contain multiple SSIDs.  Some are for internal
> use and some are for guest access.  All are secured using WPA w/PEAP.  I
> would like FreeRadius to present a cert. from our internal CA for the
> SSIDs that are internal and present a cert. from one of the CA's that
> Windows trusts by default for guest access.  I haven't found a way to
> control this on the AP (i.e., to select a different RADIUS server address
> or port based upon SSID).  Is it possible to accomplish this in FreeRadius
> given that I can determine the SSID by looking at a request attribute?

Yes.

>
> Some ideas I have are:
>
> - Have two instances of the EAP module (one for internal SSIDs and one for
> guest) and select which one to use with some unlang code (based upon the
> value of 1 request attribute)

That should work.

> - Create a virtual server for guest access that uses an EAP module with
> the cert. from the well-known CA

That is insecure. Your clients will trust *any* server certificate signed
by that public CA.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list