different eap/tls config for different interfaces
I'm running freeradius on a linux box with 2 nics, eth0 and eth1. Let's say eth0 has an ip of 192.168.5.5, and eth1 has an ip of 192.168.6.6. And, eth0 is a member of vlan 5 and eth1 is a member of vlan 6. I bind freeradius to "*", so it's listening on both interfaces/ip's. I generated freeradius' tls certificate with a common name matching the ip of eth0 (192.168.5.5). Will this cause problems when a client tries to connect to freeradius via eth1 (192.168.6.6)? If so, is it possible to have 2 different tls sections that service the 2 different interfaces? Seems like I read somewhere that you can represent more than one IP in the common name of a certificate, but can't remember for sure as it's been a while. Anyone have any suggestions? thanks!
ragan_davis@colstate.edu wrote:
I generated freeradius' tls certificate with a common name matching the ip of eth0 (192.168.5.5). Will this cause problems when a client tries to connect to freeradius via eth1 (192.168.6.6)?
No, because the wireless clients interact with the server via IP, so they don't know it's IP address.
If so, is it possible to have 2 different tls sections that service the 2 different interfaces?
No. FreeRADIUS supports only 1 TLS module at a time. Alan DeKok.
ragan_davis@colstate.edu wrote:
If so, is it possible to have 2 different tls sections that service the 2 different interfaces?
No. FreeRADIUS supports only 1 TLS module at a time.
What Alan forgot to mention is a solution. If you run two copies of the Radius server, with one bound to either a different set of ports, or one to each IP, you could have separate configs. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George)
participants (3)
-
Alan DeKok -
Kris Benson -
ragan_davis@colstate.edu