We have 2 SSL Certs for two SSID (802.1x). How can my freeradius server present wifi clients the cert based on SSID? Should I have two eap.conf? Thanks, CF
On 16/05/12 16:29, C.F. Yeung wrote:
We have 2 SSL Certs for two SSID (802.1x). How can my freeradius server present wifi clients the cert based on SSID? Should I have two eap.conf?
Yes. Configure the two "eap" modules with different names e.g. eap eap_cert1 { ... } eap eap_cert2 { ... } ...and then configure your radius server to run the appropriate eap module. Two choices for this: 1. If your wireless equipment allows it, configure each SSID with different radius server IP/ports. Then make FreeRADIUS listen on different ports like so: listen { type = auth ipaddr = * port = 18000 virtual_server = server1 } server server1 { authorize { ... eap_cert1 } authenticate { ... eap_cert1 } } # repeat for cert1/eap2 2. Use "unlang" policies to match on SSID e.g. (untested) authorize { if (My-SSID == SSID1) { eap_cert1 } elsif (My-SSID == SSID2) { eap_cert2 } } authenticate { ... eap_cert1 eap_cert2 }
I have added a new eap_new with the other cert in eap.conf and tried the unlang policy. But, it still goes to my existing eap/cert. MAC address and IP are masked by x. +- entering group authorize {...} ++? if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") ? Evaluating (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") -> TRUE ++? if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") -> TRUE ++- entering if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") {...} [eap_new] EAP packet type response id 5 length 253 [eap_new] Continuing tunnel setup. +++[eap_new] returns ok ++- if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") returns ok ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = eap_new Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'testuser' +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 222 to x.x.x.x port 1814 EAP-Message = 0x0106004119001403010001011603010030b28ae1644d58446a53a87038624720d385694e46bdc3ed64cc1db984d2b701c2c108d53dd42f6b1cda054ca078d222ec Message-Authenticator = 0x00000000000000000000000000000000 State = 0x96c69e6392c08707519378ef521f03bb Proxy-State = 0x3637 Finished request 4. On Wed, May 16, 2012 at 11:46 PM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
On 16/05/12 16:29, C.F. Yeung wrote:
We have 2 SSL Certs for two SSID (802.1x). How can my freeradius server present wifi clients the cert based on SSID? Should I have two eap.conf?
Yes. Configure the two "eap" modules with different names e.g.
eap eap_cert1 { ... } eap eap_cert2 { ... }
...and then configure your radius server to run the appropriate eap module. Two choices for this:
1. If your wireless equipment allows it, configure each SSID with different radius server IP/ports. Then make FreeRADIUS listen on different ports like so:
listen { type = auth ipaddr = * port = 18000 virtual_server = server1 } server server1 { authorize { ... eap_cert1 } authenticate { ... eap_cert1 } }
# repeat for cert1/eap2
2. Use "unlang" policies to match on SSID e.g. (untested)
authorize { if (My-SSID == SSID1) { eap_cert1 } elsif (My-SSID == SSID2) { eap_cert2 } } authenticate { ... eap_cert1 eap_cert2 } - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
On 05/17/2012 05:07 AM, C.F. Yeung wrote:
I have added a new eap_new with the other cert in eap.conf and tried the unlang policy. But, it still goes to my existing eap/cert. MAC address and IP are masked by x.
+- entering group authorize {...} ++? if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") ? Evaluating (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") -> TRUE ++? if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") -> TRUE ++- entering if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") {...} [eap_new] EAP packet type response id 5 length 253 [eap_new] Continuing tunnel setup. +++[eap_new] returns ok ++- if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") returns ok ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup.
You didn't do what I said. You're still running the "eap" module. You need: authorize { ... if ( ... ) { eap_new } else { eap } ... }
++[eap] returns ok Found Auth-Type = eap_new Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'testuser'
READ the debug output please!
Thanks Phil, it's ok now. On Thu, May 17, 2012 at 3:14 PM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
On 05/17/2012 05:07 AM, C.F. Yeung wrote:
I have added a new eap_new with the other cert in eap.conf and tried the unlang policy. But, it still goes to my existing eap/cert. MAC address and IP are masked by x.
+- entering group authorize {...} ++? if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") ? Evaluating (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") -> TRUE ++? if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") -> TRUE ++- entering if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") {...} [eap_new] EAP packet type response id 5 length 253 [eap_new] Continuing tunnel setup. +++[eap_new] returns ok ++- if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") returns ok ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup.
You didn't do what I said. You're still running the "eap" module. You need:
authorize { ... if ( ... ) { eap_new } else { eap } ...
}
++[eap] returns ok
Found Auth-Type = eap_new Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user 'testuser'
READ the debug output please!
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Hi,
Found Auth-Type = eap_new Found Auth-Type = EAP
no no. you've got to have 2 totally different eap mpdules defined , and where they could be you need to ensure that you have 2 types of request configured. you are better off having a new virtual-server that you direct that request into and change 'eap' in it (wherever it appears) to eap_new alan
Thanks Alan, it's fixed with the help by Phil. I want to add one more condition to call the eap_new module based on Realm. The following elseif condition is wrong. How should I write the correct unlang? if(Called-Station-Id == "xx-xx-xx-xx-xx-xx:duroam") { eap_new { ok = return } } elseif(Realm == "newdomain.com") { eap_new { ok = return } } else { eap { ok = return } } On Fri, May 18, 2012 at 5:03 AM, alan buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Found Auth-Type = eap_new Found Auth-Type = EAP
no no. you've got to have 2 totally different eap mpdules defined , and where they could be you need to ensure that you have 2 types of request configured. you are better off having a new virtual-server that you direct that request into and change 'eap' in it (wherever it appears) to eap_new
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Got it working as follow. if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") { eap_new { ok = return } } if (Realm == "newdomain.com") { eap_new { ok = return } } else { eap { ok = return } } On Fri, May 18, 2012 at 9:11 AM, C.F. Yeung <yeungcf@gmail.com> wrote:
Thanks Alan, it's fixed with the help by Phil. I want to add one more condition to call the eap_new module based on Realm. The following elseif condition is wrong. How should I write the correct unlang?
if(Called-Station-Id == "xx-xx-xx-xx-xx-xx:duroam") { eap_new { ok = return } } elseif(Realm == "newdomain.com") { eap_new { ok = return } } else { eap { ok = return } }
On Fri, May 18, 2012 at 5:03 AM, alan buxey <A.L.M.Buxey@lboro.ac.uk>wrote:
Hi,
Found Auth-Type = eap_new Found Auth-Type = EAP
no no. you've got to have 2 totally different eap mpdules defined , and where they could be you need to ensure that you have 2 types of request configured. you are better off having a new virtual-server that you direct that request into and change 'eap' in it (wherever it appears) to eap_new
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry to bother again, how should I rewrite the unlang for the condition that if the Called-Station-Id contains "eduroam"? if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") { On Fri, May 18, 2012 at 10:38 AM, C.F. Yeung <yeungcf@gmail.com> wrote:
Got it working as follow.
if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") { eap_new { ok = return } } if (Realm == "newdomain.com") { eap_new { ok = return } } else { eap { ok = return } }
On Fri, May 18, 2012 at 9:11 AM, C.F. Yeung <yeungcf@gmail.com> wrote:
Thanks Alan, it's fixed with the help by Phil. I want to add one more condition to call the eap_new module based on Realm. The following elseif condition is wrong. How should I write the correct unlang?
if(Called-Station-Id == "xx-xx-xx-xx-xx-xx:duroam") { eap_new { ok = return } } elseif(Realm == "newdomain.com") { eap_new { ok = return } } else { eap { ok = return } }
On Fri, May 18, 2012 at 5:03 AM, alan buxey <A.L.M.Buxey@lboro.ac.uk>wrote:
Hi,
Found Auth-Type = eap_new Found Auth-Type = EAP
no no. you've got to have 2 totally different eap mpdules defined , and where they could be you need to ensure that you have 2 types of request configured. you are better off having a new virtual-server that you direct that request into and change 'eap' in it (wherever it appears) to eap_new
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, May 18, 2012 at 11:35:39AM +0800, C.F. Yeung wrote:
Sorry to bother again, how should I rewrite the unlang for the condition that if the Called-Station-Id contains "eduroam"?
if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") {
man unlang - look for regular expressions. if (Called-Station-Id =~ /eduroam/) { or you may want something more like if (Called-Station-Id =~ /:eduroam$/) { to check that it ends in ":eduroam" Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Thanks Matthew, it's tested okay. On Fri, May 18, 2012 at 5:44 PM, Matthew Newton <mcn4@leicester.ac.uk>wrote:
On Fri, May 18, 2012 at 11:35:39AM +0800, C.F. Yeung wrote:
Sorry to bother again, how should I rewrite the unlang for the condition that if the Called-Station-Id contains "eduroam"?
if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") {
man unlang - look for regular expressions.
if (Called-Station-Id =~ /eduroam/) {
or you may want something more like
if (Called-Station-Id =~ /:eduroam$/) {
to check that it ends in ":eduroam"
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
alan buxey -
C.F. Yeung -
Matthew Newton -
Phil Mayers