different eap/tls config for different interfaces

Michael Griego mgriego at utdallas.edu
Mon Aug 8 23:53:53 CEST 2005


By its Client-IP-Address attribute or NAS-IP-Address attribute.

Also, you can use the Packet-Dst-IP-Address attribute if you're certain 
that the clients are split up by interface.  You can match up based on 
incoming interface like you were thinking about doing with two different 
servers.  So, if your server is listening on 10.0.0.1 and 10.0.1.1, and 
your EAP modules are named EAPauth1 and EAPauth2, you could do:

DEFAULT Packet-Dst-IP-Address == 10.0.0.1, EAP-Message =* "", Auth-Type 
:= EAPauth1

DEFAULT Packet-Dst-IP-Address == 10.0.1.1, EAP-Message =* "", Auth-Type 
:= EAPauth2

This functionality may only be CVS snapshots, though.  I'm not sure as I 
haven't looked to see if it exists in the production releases.

--Mike

ragan_davis at colstate.edu wrote:

>Mike,
>
>Sounds good, thanks for the info.  Just curious:  In the dual eap-tls 
>configuration that you mentioned in the second paragraph, how would 
>the radius server know which one to use for a given client?
>
>thanks!
>
>----- Original Message -----
>From: Michael Griego <mgriego at utdallas.edu>
>Date: Friday, August 5, 2005 11:34 pm
>Subject: Re: different eap/tls config for different interfaces
>
>  
>
>>After I'm done with the rlm_eap_tls rewrites and rlm_eap updates, 
>>there 
>>will be functionality to have multiple EAP submodules of the same 
>>type 
>>with different configurations.  With this, you'll be able to force 
>>the 
>>use of a specific EAP type instance by its instance name.
>>
>>In the meantime, if you want to avoid bringing up two servers, you 
>>*can* 
>>configure two EAP module instances, each with a different tls 
>>submodule 
>>configuration.  Force the Auth-Type to the EAP module with the 
>>correct 
>>tls configuration based on your criteria.  I've used this scenario 
>>in 
>>the past.
>>
>>--Mike
>>
>>
>>ragan_davis at colstate.edu wrote:
>>
>>    
>>
>>>Oh...duh...that makes sense.  Should have considered that.  I 
>>>      
>>>
>>have since
>>    
>>
>>>tested the behavior of the scenario I described, and Alan's on 
>>>      
>>>
>>target. 
>>    
>>
>>>Doesn't really seem to matter which interface I enter on, or which
>>>common-name I use.  Seems to work either way.
>>>
>>>thanks for the help!
>>>
>>>----- Original Message -----
>>>From: Kris Benson <kbenson at sd57.bc.ca>
>>>Date: Friday, August 5, 2005 5:28 pm
>>>Subject: Re: different eap/tls config for different interfaces
>>>
>>> 
>>>
>>>      
>>>
>>>>>ragan_davis at colstate.edu wrote:
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>>>If so, is it possible to have 2 different tls sections that 
>>>>>>            
>>>>>>
>>service>>>>the 2 different interfaces?
>>    
>>
>>>>>>       
>>>>>>
>>>>>>            
>>>>>>
>>>>>No.  FreeRADIUS supports only 1 TLS module at a time.
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>What Alan forgot to mention is a solution.
>>>>
>>>>If you run two copies of the Radius server, with one bound to 
>>>>either a
>>>>different set of ports, or one to each IP, you could have 
>>>>        
>>>>
>>separate 
>>    
>>
>>>>configs.
>>>>-kb
>>>>--
>>>>Kris Benson, CCP, I.S.P.
>>>>Technical Analyst, District Projects
>>>>School District #57 (Prince George)
>>>>
>>>>- 
>>>>List info/subscribe/unsubscribe? See 
>>>>http://www.freeradius.org/list/users.html
>>>>   
>>>>
>>>>        
>>>>
>>>- 
>>>List info/subscribe/unsubscribe? See 
>>>      
>>>
>>http://www.freeradius.org/list/users.html>  
>>    
>>
>>- 
>>List info/subscribe/unsubscribe? See 
>>http://www.freeradius.org/list/users.html
>>    
>>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>  
>



More information about the Freeradius-Users mailing list