I have added a new eap_new with the other cert in eap.conf and tried the unlang policy. But, it still goes to my existing eap/cert. MAC address and IP are masked by x.<div><br></div><div><div>+- entering group authorize {...}</div>
<div>++? if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam")</div><div>? Evaluating (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") -> TRUE</div><div>++? if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") -> TRUE</div>
<div>++- entering if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") {...}</div><div>[eap_new] EAP packet type response id 5 length 253</div><div>[eap_new] Continuing tunnel setup.</div><div>+++[eap_new] returns ok</div>
<div>++- if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") returns ok</div><div>++[preprocess] returns ok</div><div>++[chap] returns noop</div><div>++[mschap] returns noop</div><div>[suffix] No '@' in User-Name = "testuser", looking up realm NULL</div>
<div>[suffix] No such realm "NULL"</div><div>++[suffix] returns noop</div><div>[eap] EAP packet type response id 5 length 253</div><div>[eap] Continuing tunnel setup.</div><div>++[eap] returns ok</div><div>Found Auth-Type = eap_new</div>
<div>Found Auth-Type = EAP</div><div>Warning: Found 2 auth-types on request for user 'testuser'</div><div>+- entering group authenticate {...}</div><div>[eap] Request found, released from the list</div><div>[eap] EAP/peap</div>
<div>[eap] processing type peap</div><div>[peap] processing EAP-TLS</div><div> TLS Length 326</div><div>[peap] Length Included</div><div>[peap] eaptls_verify returned 11 </div><div>[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange </div>
<div>[peap] TLS_accept: SSLv3 read client key exchange A </div><div>[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] </div><div>[peap] <<< TLS 1.0 Handshake [length 0010], Finished </div><div>[peap] TLS_accept: SSLv3 read finished A </div>
<div>[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] </div><div>[peap] TLS_accept: SSLv3 write change cipher spec A </div><div>[peap] >>> TLS 1.0 Handshake [length 0010], Finished </div><div>[peap] TLS_accept: SSLv3 write finished A </div>
<div>[peap] TLS_accept: SSLv3 flush data </div><div>[peap] (other): SSL negotiation finished successfully </div><div>SSL Connection Established </div><div>[peap] eaptls_process returned 13 </div><div>[peap] EAPTLS_HANDLED</div>
<div>++[eap] returns handled</div><div>Sending Access-Challenge of id 222 to x.x.x.x port 1814</div><div> EAP-Message = 0x0106004119001403010001011603010030b28ae1644d58446a53a87038624720d385694e46bdc3ed64cc1db984d2b701c2c108d53dd42f6b1cda054ca078d222ec</div>
<div> Message-Authenticator = 0x00000000000000000000000000000000</div><div> State = 0x96c69e6392c08707519378ef521f03bb</div><div> Proxy-State = 0x3637</div><div>Finished request 4.</div><div><br></div>
<br><div class="gmail_quote">On Wed, May 16, 2012 at 11:46 PM, Phil Mayers <span dir="ltr"><<a href="mailto:p.mayers@imperial.ac.uk" target="_blank">p.mayers@imperial.ac.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 16/05/12 16:29, C.F. Yeung wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
We have 2 SSL Certs for two SSID (802.1x). How can my freeradius server<br>
present wifi clients the cert based on SSID? Should I have two eap.conf?<br>
</blockquote>
<br></div>
Yes. Configure the two "eap" modules with different names e.g.<br>
<br>
eap eap_cert1 {<br>
...<br>
}<br>
eap eap_cert2 {<br>
...<br>
}<br>
<br>
...and then configure your radius server to run the appropriate eap module. Two choices for this:<br>
<br>
1. If your wireless equipment allows it, configure each SSID with different radius server IP/ports. Then make FreeRADIUS listen on different ports like so:<br>
<br>
listen {<br>
type = auth<br>
ipaddr = *<br>
port = 18000<br>
virtual_server = server1<br>
}<br>
server server1 {<br>
authorize {<br>
...<br>
eap_cert1<br>
}<br>
authenticate {<br>
...<br>
eap_cert1<br>
}<br>
}<br>
<br>
# repeat for cert1/eap2<br>
<br>
2. Use "unlang" policies to match on SSID e.g. (untested)<br>
<br>
authorize {<br>
if (My-SSID == SSID1) {<br>
eap_cert1<br>
}<br>
elsif (My-SSID == SSID2) {<br>
eap_cert2<br>
}<br>
}<br>
authenticate {<br>
...<br>
eap_cert1<br>
eap_cert2<br>
}<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
</blockquote></div><br></div>