I have added a new eap_new with the other cert in eap.conf and tried the unlang policy. But, it still goes to my existing eap/cert. MAC address and IP are masked by x.
+- entering group authorize {...}
++? if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam")
? Evaluating (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") -> TRUE
++? if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") -> TRUE
++- entering if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") {...}
[eap_new] EAP packet type response id 5 length 253
[eap_new] Continuing tunnel setup.
+++[eap_new] returns ok
++- if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = eap_new
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user 'testuser'
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 222 to x.x.x.x port 1814
EAP-Message = 0x0106004119001403010001011603010030b28ae1644d58446a53a87038624720d385694e46bdc3ed64cc1db984d2b701c2c108d53dd42f6b1cda054ca078d222ec
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x96c69e6392c08707519378ef521f03bb
Proxy-State = 0x3637
Finished request 4.
On Wed, May 16, 2012 at 11:46 PM, Phil Mayers
<p.mayers@imperial.ac.uk> wrote:
On 16/05/12 16:29, C.F. Yeung wrote:
We have 2 SSL Certs for two SSID (802.1x). How can my freeradius server
present wifi clients the cert based on SSID? Should I have two eap.conf?
Yes. Configure the two "eap" modules with different names e.g.
eap eap_cert1 {
...
}
eap eap_cert2 {
...
}
...and then configure your radius server to run the appropriate eap module. Two choices for this:
1. If your wireless equipment allows it, configure each SSID with different radius server IP/ports. Then make FreeRADIUS listen on different ports like so:
listen {
type = auth
ipaddr = *
port = 18000
virtual_server = server1
}
server server1 {
authorize {
...
eap_cert1
}
authenticate {
...
eap_cert1
}
}
# repeat for cert1/eap2
2. Use "unlang" policies to match on SSID e.g. (untested)
authorize {
if (My-SSID == SSID1) {
eap_cert1
}
elsif (My-SSID == SSID2) {
eap_cert2
}
}
authenticate {
...
eap_cert1
eap_cert2
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html