Hello,
Hello ! The Idea is to authenticate users with eap-tls with certficates. People without any certificate should use different vlan provided by Radius. Only supported authentication should be eap- tls. Is it possible to make authentication with eap-tls with certficates for valid users and some "guest vlan" for users which hasnt any or unknown certificates ?
It's not possible. If the device doesn't present a valid certificate, it won't authenticate. You can't force an "Accept" with EAP methods.
Really? Couldn't you branch the processing based on the outer ID? Let all your well-managed users present some special outer id and treat the rest differently. Like in radiusd.conf, you do if ( &User-Name == "my-fancy-outer-id@my-institution.org") { eap { ok = return } } else { [do other stuff] } In the users file, make sure the every bunch of users gets the correct reply items, i.e. Tunnel-Private-Group-ID etc. The "Other stuff" section could be ommitted, then default processing goes on. Or you could call an alternate eap config here you have prepared in the eap module configuration. This setup would seem a bit shaky, though: A mistake in the users file could easily bring the internal VLAN to your guests. But then, you could branch even earlier by proxying different outer IDs to different virtual servers, right? Only this time, the decision would be based on the realm part of the outer ID. Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg