Migration -> FR3 + CiscoAPs + Multiple SSID+ EAP-TLS +Multiple Certs
Adam Bishop
Adam.Bishop at jisc.ac.uk
Fri Nov 30 20:40:46 CET 2018
On 30 Nov 2018, at 17:39, Ted Hyde (RSI) <thyde at rndstudio.com> wrote:
> That said, how does the pseudo code get translated into unlang? I think I understand a partial of %{request:Cisco-AVPair[0]} would provide the SSID (based upon looking at the freeradius -X trace where it scrolls by first) but I am unsure about testing for the [certificate name?]. (I got the above from 'man unlang'; hopefully an appropriate reference.) I expect "real" data is now necessary to continue forward?
For client certs, the EAP module extracts the certificate into into attributes you can test. There's some examples in the check-eap-tls virtual server:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-available/check-eap-tls
If you're talking about the CN of server cert, take a look at the check_cert_issuer option:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/eap#L300
Simplest way to get the SSID and client MAC is to look at the called/calling station id - the SSID is appended to the NAS' MAC in the Called-Station-ID, and the client MAC address should be in the Calling-Station-Id.
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
More information about the Freeradius-Users
mailing list