I have added a new eap_new with the other cert in eap.conf and tried the unlang policy. But, it still goes to my existing eap/cert. MAC address and IP are masked by x. +- entering group authorize {...} ++? if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") ? Evaluating (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") -> TRUE ++? if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") -> TRUE ++- entering if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") {...} [eap_new] EAP packet type response id 5 length 253 [eap_new] Continuing tunnel setup. +++[eap_new] returns ok ++- if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") returns ok ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = eap_new Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'testuser' +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 222 to x.x.x.x port 1814 EAP-Message = 0x0106004119001403010001011603010030b28ae1644d58446a53a87038624720d385694e46bdc3ed64cc1db984d2b701c2c108d53dd42f6b1cda054ca078d222ec Message-Authenticator = 0x00000000000000000000000000000000 State = 0x96c69e6392c08707519378ef521f03bb Proxy-State = 0x3637 Finished request 4. On Wed, May 16, 2012 at 11:46 PM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
On 16/05/12 16:29, C.F. Yeung wrote:
We have 2 SSL Certs for two SSID (802.1x). How can my freeradius server present wifi clients the cert based on SSID? Should I have two eap.conf?
Yes. Configure the two "eap" modules with different names e.g.
eap eap_cert1 { ... } eap eap_cert2 { ... }
...and then configure your radius server to run the appropriate eap module. Two choices for this:
1. If your wireless equipment allows it, configure each SSID with different radius server IP/ports. Then make FreeRADIUS listen on different ports like so:
listen { type = auth ipaddr = * port = 18000 virtual_server = server1 } server server1 { authorize { ... eap_cert1 } authenticate { ... eap_cert1 } }
# repeat for cert1/eap2
2. Use "unlang" policies to match on SSID e.g. (untested)
authorize { if (My-SSID == SSID1) { eap_cert1 } elsif (My-SSID == SSID2) { eap_cert2 } } authenticate { ... eap_cert1 eap_cert2 } - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>