EAP-TLS or EAP-TTLS

Panagiotis Georgopoulos panos at comp.lancs.ac.uk
Mon Nov 7 23:50:27 CET 2011


Hi Phil,

	Thanks for your reply. Please see below. 

> On 07/11/11 16:24, Panagiotis Georgopoulos wrote:
> > Hello all,
> >
> > I have a policy in my post-auth that calculates a hash function based
> > on the real-identify of the user. The idea is that if the request is
> > EAP-TTLS then I want to use the User-Name property of the inner
> > tunnel, whereas if the request is for EAP-TLS I want to use the
> > BUF-Name (if I've got it correctly).
> 
> BUF-Name is not a standard attribute.

You are right, I just "grabbed" that from the debug output. I guess
TLS-Client-Cert-CN is far more appropriate.


> > How do I determine in my policy whether we are doing EAP-TLS or
> > EAP-TTLS? Can anyone help with that 'if' I am looking for?
> 
> I'm not clear on exactly what you want. Perhaps you could explain in more
> detail?
> 
> Possibly something like:
> 
> post-auth {
> 
>   if (EAP-Type == EAP-TTLS) {
>     update reply {
>       My-Hash := "%{md5:%{reply:User-Name}}"
>     }
>   }
> 
>   elsif (EAP-Type == EAP-TLS) {
>     update reply {
>       My-Hash := "%{md5:%{TLS-Cert-Subject}}"
>     }
>   }
> 
> }
> 
> ...is what you're looking for?

This is exactly what I was looking for! I didn't know that 'EAP-Type' holds
the authentication type. That will do the job.

Thanks a lot,
Panos








More information about the Freeradius-Users mailing list