forcing EAP-type based on client/request
kacper.wirski at gmail.com
Mon Nov 19 20:04:53 CET 2018
For quite some time I've been using freeradius (3.0.17 right now -
installed from network radius packages on centos 7.5). I've been using
it for 802.1x eap-peap mostly.
I decided to expand my uses for RADIUS. The issue I ran into is that
some of the devices/applications, that could benefit from more
centralised RADIUS AA:
- don't tell which "eap-type" they want to use
- use only what's set as "default" in /mods-available/eap
- require different eap types (one works only when using default = md5,
other only when deafult = mschapv2) - so it's mutually exclusive.
Those devices/applications have no way of setting eap-type, so right now
with my knowle
Before writing this message I did look in the documentation, but I'm
probably not experienced enough, to make much sense of it.
What I understand is that, what should happen is this:
- client either explicitly tells which eap-types it wants to use (like
with windows, I can explicitly choose eap-peap with mschapv2 for
example), or sends just eap-identity, and freeradius starts offering
types that are configured, then client/radius come into "agreement"
which type to use.
With those devices in radius debug it looks basically like this: there's
eap-identity frame, radius tries using what's set as default, and it
either works (if it's what client expected) or fails (if it expected
I have in "eap" module enabled both mschpav2 and md5 and peap, but there
can be only one "default" type.
So what I was thinking, that maybe there's a way to set "eap-type" based
on request? In documentation about default eap setting I read that "it's
used, when eap-type wasn't set already by another module or just
eap-identity was sent". That got me thinking that there might be some
way "in another module" to force EAP-type based on coming request?
So please, If there is something obvious that I'm missing, please point
that out, I'm open to anything (except for maybe setting another FR
server just to use different EAP-default setting and split client
devices between those, that seems like an overkill to me?)
More information about the Freeradius-Users