Migration -> FR3 + CiscoAPs + Multiple SSID+ EAP-TLS +, Multiple Certs

Alan DeKok aland at deployingradius.com
Thu Nov 29 18:43:29 CET 2018


On Nov 29, 2018, at 12:20 PM, Ted Hyde (RSI) <thyde at rndstudio.com> wrote:
> Alan thank you - from a pseudo-code level, what I am therefore looking for is:
> 
> if (MAC_LIMITED-SSID && EAP-CERT-01)
>     {
>         check eap valid cert "EAP-CERT-01"

  That should happen automatically with the EAP module.

>         look up MAC
>         if !known MAC reject
>         if blocked MAC reject
>        (inferred tail deny)

  The server doesn't reject users by default it rejects *unknown* users.

>     }
> else if (OPEN-SSID && EAP-CERT-02)
>     {
>        check eap valid cert "EAP-CERT-02"
>        accept
>        (inferred tail deny)
>     }
> 
> I am not looking to manage an implicit blocking list for OPEN-SSID; if the client has the *appropriate* cert (designated for OPEN-SSID), and they associate with OPEN-SSID, then they should be accepted. I do want to maintain two separate certs each intended to match against their designated SSIDs.

  Sure.  What you're looking for then, is more this:

authorize {
	...
	eap
	...
}

authenticate {
	...
	eap
	...
}

post-auth {
	...
  if (MAC_LIMITED-SSID && EAP-CERT-01)
    {
        look up MAC
        if !known MAC reject
        if blocked MAC reject
    }
	...
}


  Which is pretty simple.  That assumes that both client certs are issued by the same CA.

  Alan DeKok.




More information about the Freeradius-Users mailing list