11 Jul
2017
11 Jul
'17
6:22 p.m.
Would you mind giving a hint on what this might look like? I'm not familiar with what variable would carry the authentication type, and debug mode does not seem to reveal it. Many thanks for the help! John On 7/11/17 6:12 PM, Alan Buxey wrote: > Just use some unlang in the post-auth section to separate your EAP-TLS > policy from your PEAP decisions > > alan > > On 11 Jul 2017 10:48 pm, "John Meyers" <john+freeradius@themeyers.us> wrote: > >> Hello, >> >> I have what I think is a very common use case. I'd like to support >> "dual stack" EAP-TLS and EAP-PEAP, the concept being that if a corporate >> device has a valid certificate and authenticates EPA-TLS it gets >> validated against one set of rules ultimately culminating with >> assignment in one or more VLANs, vs a BYOD device authenticated with >> EAP-PEAP that will go through a different authentication/authorization >> stack ending up in a different set of possible VLANs. >> >> We have the EAP-PEAP case working flawlessly on freeradius-3.0.4-6.el7. >> The problem is that when I enable the 'virtual_server' option for >> EAP-TLS, it still hits the default authentication/authorization stack >> resulting in searching the wrong LDAP (machines and people are separate) >> before it runs for the virtual server defined. By the time it hits the >> virtual server, the request has already been denied as the LDAP object >> does not exist in the area it is looking for. I would also like, if >> EAP-TLS is used, to ignore whatever username the client passes and >> instead use the client's CN from its certificate with regard to ldap >> authorization. >> >> If anyone has any advise on how to configure a completely divergent >> configuration that depends on whether or not the client is use TLS or >> PEAP, I would appreciate it. >> >> John >> >> >> >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/ >> list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html