Migration -> FR3 + CiscoAPs + Multiple SSID+ EAP-TLS +Multiple Certs
Ted Hyde (RSI)
thyde at rndstudio.com
Fri Nov 30 18:39:04 CET 2018
> Sure. What you're looking for then, is more this:
>
> authorize {
> ...
> eap
> ...
> }
>
> authenticate {
> ...
> eap
> ...
> }
>
> post-auth {
> ...
> if (MAC_LIMITED-SSID && EAP-CERT-01)
> {
> look up MAC
> if !known MAC reject
> if blocked MAC reject
> }
> ...
> }
>
>
> Which is pretty simple. That assumes that both client certs are issued by the same CA.
Yes, the CA is under my control, (self signed) so no expected challenge
there.
> Alan DeKok.
>
That said, how does the pseudo code get translated into unlang? I think
I understand a partial of %{request:Cisco-AVPair[0]} would provide the
SSID (based upon looking at the freeradius -X trace where it scrolls by
first) but I am unsure about testing for the [certificate name?]. (I got
the above from 'man unlang'; hopefully an appropriate reference.) I
expect "real" data is now necessary to continue forward?
Thanks,
Ted.
More information about the Freeradius-Users
mailing list