how to disable a particular EAP type in freeradius2 for a particular ESSID ?
Hello, I have a radius infrastructure with multiple ESSID. in particular I have the eduroam ESSID and another local ESSID. They are managed by my freeradius2 server with 2 virtual-server instances, one for eduroam and the other for my local ESSID. Both are 802.1x infrastructures. I have always been disabling EAP-TLS in my local infrastructure writing this in the users file DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject but now I need EAP-TLS to be avaliable for eduroam and I do not like the solution to have a completely different radius server, I wanted to do it with only one freeradius server with virtual server configuration. Thus I need to enable EAP-TLS for eduroam and disable EAP-TLS for my local SSID. How is possible to do this on freeradius2 ? After many attempts I could not figure out... thank you Rick
On 10/02/12 11:33, Riccardo Veraldi wrote:
Hello, I have a radius infrastructure with multiple ESSID. in particular I have the eduroam ESSID and another local ESSID. They are managed by my freeradius2 server with 2 virtual-server instances, one for eduroam and the other for my local ESSID. Both are 802.1x infrastructures.
I have always been disabling EAP-TLS in my local infrastructure writing this in the users file
DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject
but now I need EAP-TLS to be avaliable for eduroam and I do not like the solution to have a completely different radius server,
If you have an "eduroam" SSID, what's going to stop your users connecting to that, and using EAP-TLS?
I wanted to do it with only one freeradius server with virtual server configuration.
Thus I need to enable EAP-TLS for eduroam and disable EAP-TLS for my local SSID.
Does your wireless platform let you set different radius servers per-SSID? If so, you can run a FreeRADIUS virtual server on separate ports.
How is possible to do this on freeradius2 ?
1. Define two virtual servers 2. Have them listen on different ports 3. Set the radius servers for the two SSIDs to the relevant ports 4. Write a different policy in each virtual server
On 2/10/12 12:57 PM, Phil Mayers wrote:
On 10/02/12 11:33, Riccardo Veraldi wrote:
Hello, I have a radius infrastructure with multiple ESSID. in particular I have the eduroam ESSID and another local ESSID. They are managed by my freeradius2 server with 2 virtual-server instances, one for eduroam and the other for my local ESSID. Both are 802.1x infrastructures.
I have always been disabling EAP-TLS in my local infrastructure writing this in the users file
DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject
but now I need EAP-TLS to be avaliable for eduroam and I do not like the solution to have a completely different radius server,
If you have an "eduroam" SSID, what's going to stop your users connecting to that, and using EAP-TLS?
I wanted to do it with only one freeradius server with virtual server configuration.
Thus I need to enable EAP-TLS for eduroam and disable EAP-TLS for my local SSID.
Does your wireless platform let you set different radius servers per-SSID? If so, you can run a FreeRADIUS virtual server on separate ports.
How is possible to do this on freeradius2 ?
1. Define two virtual servers 2. Have them listen on different ports 3. Set the radius servers for the two SSIDs to the relevant ports 4. Write a different policy in each virtual server - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi, i know all this and I already did this. What i miss is to write a different policy on each virtual server. eduroam is all fine EAP-TLS is the default.
But how to tell the other virtual server to disable EAP-TLS authentication ? the virtual servers receive requests from the same access points, and each access ponit have two SSID. Each ESSID send request oto a different virtual server IP. I have found no way to tell the local virtual server (the one serving local ESSID) to disable EAP-TLS. If I do it in users file, this configuration is valid for both virtual servers: DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject I Cannot have two separate users file, the users file is common to both virtual servers. Is there a way to have a users file for eac hvirtual server ? I did not find it is possibile from documentation. Ricdk
I Cannot have two separate users file, the users file is common to both
virtual servers. Is there a way to have a users file for eac hvirtual server ? I did not find it is possibile from documentation.
Ricdk
Yes you can. This is a core feature of the server. You need to look at the docs more closely. -- Sent from my phone. Please excuse brevity and typos.
participants (2)
-
Phil Mayers -
Riccardo Veraldi