Migration -> FR3 + CiscoAPs + Multiple SSID+ EAP-TLS +Multiple Certs

Adam Bishop Adam.Bishop at jisc.ac.uk
Fri Nov 30 20:40:46 CET 2018

On 30 Nov 2018, at 17:39, Ted Hyde (RSI) <thyde at rndstudio.com> wrote:
> That said, how does the pseudo code get translated into unlang? I think I understand a partial of  %{request:Cisco-AVPair[0]} would provide the SSID (based upon looking at the freeradius -X trace where it scrolls by first) but I am unsure about testing for the [certificate name?]. (I got the above from 'man unlang'; hopefully an appropriate reference.) I expect "real" data is now necessary to continue forward?

For client certs, the EAP module extracts the certificate into into attributes you can test. There's some examples in the check-eap-tls virtual server:

If you're talking about the CN of server cert, take a look at the check_cert_issuer option:

Simplest way to get the SSID and client MAC is to look at the called/calling station id - the SSID is appended to the NAS' MAC in the Called-Station-ID, and the client MAC address should be in the Calling-Station-Id.

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460


Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  

More information about the Freeradius-Users mailing list