Re: how to disable a particular EAP type in freeradius2 for a particular ESSID ?
Yes. Perfectly possible...just need to make copies of the 'files' module file, then give it is name (as per docs), then out a different users file in the second copy. In the virtual server you can then call the copy of the files module that uses that different file. Personally I'd just use one small bit of unlang eg if(%{Called-Station-Id} ~= /:ssid$/i && EAP-Type = EAP-TLS) { access-reject } (example quick code!)...this assumes the request coming from the AP/controller has the SSID embedded in it..... alan
On 2/10/12 6:54 PM, Alan Buxey wrote:
Yes. Perfectly possible...just need to make copies of the 'files' module file, then give it is name (as per docs), then out a different users file in the second copy. In the virtual server you can then call the copy of the files module that uses that different file.
Personally I'd just use one small bit of unlang eg
if(%{Called-Station-Id} ~= /:ssid$/i && EAP-Type = EAP-TLS) { access-reject }
(example quick code!)...this assumes the request coming from the AP/controller has the SSID embedded in it.....
Yes I wanted to use this solution but the problem is that when my Cisco 1200 access points contact freeradius, there is no SSID like attribute in the communication, in the request there is no SSID... I will try with the copy of module file I did not figure out it form the docs. thank you
alan
Riccardo Veraldi wrote:
Yes I wanted to use this solution but the problem is that when my Cisco 1200 access points contact freeradius, there is no SSID like attribute in the communication, in the request there is no SSID..
See the Called-Station-Id attribute. The SSID should be buried there. Alan DeKok.
On Sat, Feb 11, 2012 at 09:07:49AM +0100, Riccardo Veraldi wrote:
Yes I wanted to use this solution but the problem is that when my Cisco 1200 access points contact freeradius, there is no SSID like attribute in the communication, in the request there is no SSID... I will try with the copy of module file I did not figure out it form the docs.
If your eduroam requests are going through a completely different virtual server from your local SSID requests, then just follow Alan's advice, but you don't need to test for SSID - just put it in the virtual server that you want to block EAP-TLS, something like if (EAP-Type == "EAP-TLS") { reject } For the Cisco APs, which don't seem to follow the RFCs for Called-Station-Id (as far as I can tell) unless you use a WLC, try: ap(config)# radius-server vsa send authentication and you should then end up with an attribute you can test: Cisco-AVPair = "ssid=eduroam" Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (4)
-
Alan Buxey -
Alan DeKok -
Matthew Newton -
Riccardo Veraldi