Nick Kartsioukas <lists.freeradius@change.nightwind.net> wrote:
Okay...let's say I have an SSID for students and an SSID for staff. Students authenticate against LDAP, which stores passwords as salted SHA1 hashes. Staff authenticate against Windows ActiveDirectory. I've found where the WLC sends the SSID to FreeRADIUS, so I can get at that. My question is, how do I set up the EAP-TTLS/PAP session for the Student SSID and the separate PEAP/MSCHAPv2 session for the Staff SSID? Are these configured as different virtual servers? Or just different modules that I call from the users file like so: DEFAULT Auth-Type := student_module, Called-Station-SSID := "student" DEFAULT Auth-Type := staff_module, Called-Station-SSID := "staff"
Just duplicate what you see in eap.conf to look something like: ---- eap EAP_student { # set this to peap for staff default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no max_sessions = 4096 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = ${local.cert.password} private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem dh_file = ${certdir}/dh random_file = /dev/urandom cipher_list = "AES:HIGH:!aNULL:!eNULL:@STRENGTH" } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = yes virtual_server = "auth" } # comment 'ttls' and uncomment following for staff #peap { # default_eap_type = mschapv2 # copy_request_to_tunnel = no # use_tunneled_reply = yes # virtual_server = "auth" #} # #mschapv2 { # send_error = yes #} } eap EAP_staff { .... } ---- ---- authorize { ... if (Airespace-Wlan-Id == "student_ssid") { EAP_student } else { EAP_staff } ... } ---- Cheers -- Alexander Clouter .sigmonster says: Remember to say hello to your bank teller.