On Nov 29, 2018, at 12:20 PM, Ted Hyde (RSI) <thyde@rndstudio.com> wrote:
Alan thank you - from a pseudo-code level, what I am therefore looking for is:
if (MAC_LIMITED-SSID && EAP-CERT-01) { check eap valid cert "EAP-CERT-01"
That should happen automatically with the EAP module.
look up MAC if !known MAC reject if blocked MAC reject (inferred tail deny)
The server doesn't reject users by default it rejects *unknown* users.
} else if (OPEN-SSID && EAP-CERT-02) { check eap valid cert "EAP-CERT-02" accept (inferred tail deny) }
I am not looking to manage an implicit blocking list for OPEN-SSID; if the client has the *appropriate* cert (designated for OPEN-SSID), and they associate with OPEN-SSID, then they should be accepted. I do want to maintain two separate certs each intended to match against their designated SSIDs.
Sure. What you're looking for then, is more this: authorize { ... eap ... } authenticate { ... eap ... } post-auth { ... if (MAC_LIMITED-SSID && EAP-CERT-01) { look up MAC if !known MAC reject if blocked MAC reject } ... } Which is pretty simple. That assumes that both client certs are issued by the same CA. Alan DeKok.