Rainer Brinkmann wrote:
Hello,
we wonder, how a freeradius can request a client to use a fixed EAP-Method: so its defined: Client starts with EAP-Start-Msg Radius wants EAP-Identity Client answers with Username or Hostname NOT using a special EAP-Method
Radius now starts communiucating with the first EAP-Packet, using the special EAP-Method
For this, it will use the default_eap_type
Question:
you run in your wireless LAN many SSIDs: SSID1 shall use EAP-TTLS SSID2 shall use EAP-TLS (high-secured Net like personal Data)
what logic starts the right inner-EAP-Protocol, cause neither the AccessPoint(WLAN-Controller), nor the radius server know, what Method to use, when there are many enabled.
e.g. on a cisco-Radius, that runs with enabled PEAP and TLS, but there's no special attribute defined to control that
Yes there is. Set "EAP-Type" (see dictionary.freeradius.internal) e.g. DEFAULT Your-SSID-AVP = "SSID1", EAP-Type := EAP-TTLS DEFAULT Your-SSID-AVP = "SSID2", EAP-Type := EAP-TLS Note however, the client can still NAK the radius server and request a different type, and the radius server will allow that. To prevent that, you'd need to run >1 instance of the eap module and disable the other eap types. The following is untested and may not work for various reasons, but is worth a try: modules { eap eap_ttlsonly { default_eap_type = ttls # only define one eap sub-module ttls { # stuff } } eap eap_tlsonly { default_eap_type = tls # only define one eap sub-module tls { # stuff } } } authorize { preprocess users Autz-Type TTLS-only { eap_ttlsonly } Autz-Type TLS-only { eap_tlsonly } } authenticate { Auth-Type TTLS-only { eap_ttlsonly } Auth-Type TLS-only { eap_tlsonly } } ...the in "users": DEFAULT SSID = "ssid1", Autz-Type := TTLS-only, Auth-Type := TTLS-only DEFAULT SSID = "ssid2", Autz-Type := TLS-only, Auth-Type := TLS-only
thanks for reply, Rainer Brinkmann
University-Clinicum Hamburg / Germany
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html