Conditional EAP Type Acceptance

Alan DeKok aland at
Mon Nov 25 13:49:16 CET 2019

On Nov 24, 2019, at 8:00 PM, Mike DiBella <mike at> wrote:
> I have FR set up to authenticate based EAP-TLS certificate and authorize based on finding an object in LDAP where Calling-Station-Id from the supplicant is equal to an attribute containing the WLAN MAC address, and an additional compliance attribute is equal to zero.    This allows me to only accept requests from managed devices that are policy compliant.

  That's good.

> Now I need to add a way to accept requests from guest devices.
> So I would need to break the LDAP check into two parts.   First, if an object exists where the MAC attribute matches the request Calling-Station-Id , authenticate by EAP-TLS.   If authenticated, accept the request if the compliance attribute is zero.
> If the MAC address is not found, authenticate using PEAP.

  Except you don't control which authentication method is used.  The supplicant (client side) chooses that.

  Further, if you don't issue client certificates for guests, then they can't choose EAP-TLS.

  And, if you don't issue passwords for normal users, they can't choose PEAP.  Well, they can, but they can't authenticate because they don't have a password.

  So what you really need to do is for EAP-TLS, check that the MAC attribute matches the Calling-Station-Id.  And that's about it.  Which is what you already have.

>   Accept on credential match.    I only need a few guest accounts, so I'd load them in a simple store.   Which backend would be most suited for the PEAP accounts?      I'd want to be able to rotate the guest account passwords periodically without much fuss.

  Anything that makes you happy.  Even a simple text file is fine.

  Alan DeKok.

More information about the Freeradius-Users mailing list