EAP and non-EAP on same port?
Phil Mayers
p.mayers at imperial.ac.uk
Wed Jul 3 16:45:11 CEST 2013
On 03/07/13 15:29, Bruce Bauman wrote:
> Right now we have freeradius configured so that EAP and non-EAP are
> handled by separate virtual servers which are listening on separate
> virtual ports.
> We'd like to simplify our configuration and use the same port for both.
> I've looked through the documentation without much success.
>
> Does anyone have an example configuration of this?
The default config handles both eap and non-EAP just fine. You just list
the "eap" and other auth modules ("mschap", "pap", "chap") in authorize
and authenticate, and pull the password info from LDAP/SQL/files as per
usual.
However, it's likely you mean something more than the simple config
you've specified. Can you be more specific about what is unclear to you?
If you want to do some logic conditional on whether the request is EAP
or not, you can do this;
authorize {
...
if (EAP-Message) {
# we're an EAP request
sql
eap
blahblah
}
else {
# we're non-eap
files
ldap
mschap
chap
pap
}
...
}
And of course, the inner EAP auth can be sent to a virtual server - see
the sample "eap.conf" that comes with the server.
More information about the Freeradius-Users
mailing list