how to disable a particular EAP type in freeradius2 for a particular ESSID ?

Riccardo Veraldi Riccardo.Veraldi at cnaf.infn.it
Fri Feb 10 14:23:36 CET 2012 

On 2/10/12 12:57 PM, Phil Mayers wrote:
> On 10/02/12 11:33, Riccardo Veraldi wrote:
>> Hello,
>> I have a radius infrastructure with multiple ESSID.
>> in particular I have the eduroam ESSID and another local ESSID.
>> They are managed by my freeradius2 server with 2 virtual-server
>> instances, one for eduroam and the other for my local ESSID.
>> Both are 802.1x infrastructures.
>>
>> I have always been disabling EAP-TLS in my local infrastructure writing
>> this in the users file
>>
>> DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject
>>
>> but now I need EAP-TLS to be avaliable for eduroam and I do not like the
>> solution to have a completely different radius server,
>
> If you have an "eduroam" SSID, what's going to stop your users 
> connecting to that, and using EAP-TLS?
>
>> I wanted to do it with only one freeradius server with virtual server
>> configuration.
>>
>> Thus I need to enable EAP-TLS for eduroam and disable EAP-TLS for my
>> local SSID.
>
> Does your wireless platform let you set different radius servers 
> per-SSID? If so, you can run a FreeRADIUS virtual server on separate 
> ports.
>
>>
>> How is possible to do this on freeradius2 ?
>
>  1. Define two virtual servers
>  2. Have them listen on different ports
>  3. Set the radius servers for the two SSIDs to the relevant ports
>  4. Write a different policy in each virtual server
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
Hi,
i know all this and I already did this.
What i miss is to write a different policy on each virtual server.
eduroam is all fine EAP-TLS is the default.

But how to tell the other virtual server to disable EAP-TLS authentication ?
the virtual servers receive requests from the same access points, and 
each access ponit have two SSID.
Each ESSID send request oto a different virtual server IP.
I have found no way to tell the local virtual server (the one serving 
local ESSID) to disable EAP-TLS.
If I do it in users file, this configuration is valid for both virtual 
servers:

DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject

I Cannot have two separate users file, the users file is common to both 
virtual servers.
Is there a way to have a users file for eac hvirtual server ?
I did not find it is possibile from documentation.


Ricdk

More information about the Freeradius-Users mailing list