different eap/tls config for different interfaces

ragan_davis at colstate.edu ragan_davis at colstate.edu
Tue Aug 9 00:08:18 CEST 2005 

Makes sense.  I'm doing EAP-TTLS with LDAP.  I probably wouldn't need 
to define 2 diff ldap instances, since they'd both point to the same 
ldap server.  However, I wonder if the ":=" operator would cause 
freeradius to ignore any other auth methods (such as ldap)?  Doesn't 
that act as an "override" of sorts, or am I way off?

thanks!

----- Original Message -----
From: Michael Griego <mgriego at utdallas.edu>
Date: Monday, August 8, 2005 5:53 pm
Subject: Re: different eap/tls config for different interfaces

> By its Client-IP-Address attribute or NAS-IP-Address attribute.
> 
> Also, you can use the Packet-Dst-IP-Address attribute if you're 
> certain 
> that the clients are split up by interface.  You can match up 
> based on 
> incoming interface like you were thinking about doing with two 
> different 
> servers.  So, if your server is listening on 10.0.0.1 and 
> 10.0.1.1, and 
> your EAP modules are named EAPauth1 and EAPauth2, you could do:
> 
> DEFAULT Packet-Dst-IP-Address == 10.0.0.1, EAP-Message =* "", Auth-
> Type 
> := EAPauth1
> 
> DEFAULT Packet-Dst-IP-Address == 10.0.1.1, EAP-Message =* "", Auth-
> Type 
> := EAPauth2
> 
> This functionality may only be CVS snapshots, though.  I'm not 
> sure as I 
> haven't looked to see if it exists in the production releases.
> 
> --Mike
> 
> ragan_davis at colstate.edu wrote:
> 
> >Mike,
> >
> >Sounds good, thanks for the info.  Just curious:  In the dual eap-
> tls 
> >configuration that you mentioned in the second paragraph, how 
> would 
> >the radius server know which one to use for a given client?
> >
> >thanks!
> >
> >----- Original Message -----
> >From: Michael Griego <mgriego at utdallas.edu>
> >Date: Friday, August 5, 2005 11:34 pm
> >Subject: Re: different eap/tls config for different interfaces
> >
> >  
> >
> >>After I'm done with the rlm_eap_tls rewrites and rlm_eap 
> updates, 
> >>there 
> >>will be functionality to have multiple EAP submodules of the 
> same 
> >>type 
> >>with different configurations.  With this, you'll be able to 
> force 
> >>the 
> >>use of a specific EAP type instance by its instance name.
> >>
> >>In the meantime, if you want to avoid bringing up two servers, 
> you 
> >>*can* 
> >>configure two EAP module instances, each with a different tls 
> >>submodule 
> >>configuration.  Force the Auth-Type to the EAP module with the 
> >>correct 
> >>tls configuration based on your criteria.  I've used this 
> scenario 
> >>in 
> >>the past.
> >>
> >>--Mike
> >>
> >>
> >>ragan_davis at colstate.edu wrote:
> >>
> >>    
> >>
> >>>Oh...duh...that makes sense.  Should have considered that.  I 
> >>>      
> >>>
> >>have since
> >>    
> >>
> >>>tested the behavior of the scenario I described, and Alan's on 
> >>>      
> >>>
> >>target. 
> >>    
> >>
> >>>Doesn't really seem to matter which interface I enter on, or which
> >>>common-name I use.  Seems to work either way.
> >>>
> >>>thanks for the help!
> >>>
> >>>----- Original Message -----
> >>>From: Kris Benson <kbenson at sd57.bc.ca>
> >>>Date: Friday, August 5, 2005 5:28 pm
> >>>Subject: Re: different eap/tls config for different interfaces
> >>>
> >>> 
> >>>
> >>>      
> >>>
> >>>>>ragan_davis at colstate.edu wrote:
> >>>>>     
> >>>>>
> >>>>>          
> >>>>>
> >>>>>>If so, is it possible to have 2 different tls sections that 
> >>>>>>            
> >>>>>>
> >>service>>>>the 2 different interfaces?
> >>    
> >>
> >>>>>>       
> >>>>>>
> >>>>>>            
> >>>>>>
> >>>>>No.  FreeRADIUS supports only 1 TLS module at a time.
> >>>>>     
> >>>>>
> >>>>>          
> >>>>>
> >>>>What Alan forgot to mention is a solution.
> >>>>
> >>>>If you run two copies of the Radius server, with one bound to 
> >>>>either a
> >>>>different set of ports, or one to each IP, you could have 
> >>>>        
> >>>>
> >>separate 
> >>    
> >>
> >>>>configs.
> >>>>-kb
> >>>>--
> >>>>Kris Benson, CCP, I.S.P.
> >>>>Technical Analyst, District Projects
> >>>>School District #57 (Prince George)
> >>>>
> >>>>- 
> >>>>List info/subscribe/unsubscribe? See 
> >>>>http://www.freeradius.org/list/users.html
> >>>>   
> >>>>
> >>>>        
> >>>>
> >>>- 
> >>>List info/subscribe/unsubscribe? See 
> >>>      
> >>>
> >>http://www.freeradius.org/list/users.html>  
> >>    
> >>
> >>- 
> >>List info/subscribe/unsubscribe? See 
> >>http://www.freeradius.org/list/users.html
> >>    
> >>
> >- 
> >List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html>  
> >
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list