different eap/tls config for different interfaces

Michael Griego mgriego at utdallas.edu
Tue Aug 9 01:53:23 CEST 2005 

That's why I added the extra bit to make sure an EAP-Message attribute 
existed in the packet (EAP-Message =* "").  That way, it won't force an 
Auth-Type in an instance where EAP attributes don't exist.  The inner 
authentication of an EAP-TTLS/PAP exchange would be one example of this.

--Mike


ragan_davis at colstate.edu wrote:

>Makes sense.  I'm doing EAP-TTLS with LDAP.  I probably wouldn't need 
>to define 2 diff ldap instances, since they'd both point to the same 
>ldap server.  However, I wonder if the ":=" operator would cause 
>freeradius to ignore any other auth methods (such as ldap)?  Doesn't 
>that act as an "override" of sorts, or am I way off?
>
>thanks!
>
>----- Original Message -----
>From: Michael Griego <mgriego at utdallas.edu>
>Date: Monday, August 8, 2005 5:53 pm
>Subject: Re: different eap/tls config for different interfaces
>
>  
>
>>By its Client-IP-Address attribute or NAS-IP-Address attribute.
>>
>>Also, you can use the Packet-Dst-IP-Address attribute if you're 
>>certain 
>>that the clients are split up by interface.  You can match up 
>>based on 
>>incoming interface like you were thinking about doing with two 
>>different 
>>servers.  So, if your server is listening on 10.0.0.1 and 
>>10.0.1.1, and 
>>your EAP modules are named EAPauth1 and EAPauth2, you could do:
>>
>>DEFAULT Packet-Dst-IP-Address == 10.0.0.1, EAP-Message =* "", Auth-
>>Type 
>>:= EAPauth1
>>
>>DEFAULT Packet-Dst-IP-Address == 10.0.1.1, EAP-Message =* "", Auth-
>>Type 
>>:= EAPauth2
>>
>>This functionality may only be CVS snapshots, though.  I'm not 
>>sure as I 
>>haven't looked to see if it exists in the production releases.
>>
>>--Mike
>>
>>ragan_davis at colstate.edu wrote:
>>
>>    
>>
>>>Mike,
>>>
>>>Sounds good, thanks for the info.  Just curious:  In the dual eap-
>>>      
>>>
>>tls 
>>    
>>
>>>configuration that you mentioned in the second paragraph, how 
>>>      
>>>
>>would 
>>    
>>
>>>the radius server know which one to use for a given client?
>>>
>>>thanks!
>>>
>>>----- Original Message -----
>>>From: Michael Griego <mgriego at utdallas.edu>
>>>Date: Friday, August 5, 2005 11:34 pm
>>>Subject: Re: different eap/tls config for different interfaces
>>>
>>> 
>>>
>>>      
>>>
>>>>After I'm done with the rlm_eap_tls rewrites and rlm_eap 
>>>>        
>>>>
>>updates, 
>>    
>>
>>>>there 
>>>>will be functionality to have multiple EAP submodules of the 
>>>>        
>>>>
>>same 
>>    
>>
>>>>type 
>>>>with different configurations.  With this, you'll be able to 
>>>>        
>>>>
>>force 
>>    
>>
>>>>the 
>>>>use of a specific EAP type instance by its instance name.
>>>>
>>>>In the meantime, if you want to avoid bringing up two servers, 
>>>>        
>>>>
>>you 
>>    
>>
>>>>*can* 
>>>>configure two EAP module instances, each with a different tls 
>>>>submodule 
>>>>configuration.  Force the Auth-Type to the EAP module with the 
>>>>correct 
>>>>tls configuration based on your criteria.  I've used this 
>>>>        
>>>>
>>scenario 
>>    
>>
>>>>in 
>>>>the past.
>>>>
>>>>--Mike
>>>>
>>>>
>>>>ragan_davis at colstate.edu wrote:
>>>>
>>>>   
>>>>
>>>>        
>>>>
>>>>>Oh...duh...that makes sense.  Should have considered that.  I 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>have since
>>>>   
>>>>
>>>>        
>>>>
>>>>>tested the behavior of the scenario I described, and Alan's on 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>target. 
>>>>   
>>>>
>>>>        
>>>>
>>>>>Doesn't really seem to matter which interface I enter on, or which
>>>>>common-name I use.  Seems to work either way.
>>>>>
>>>>>thanks for the help!
>>>>>
>>>>>----- Original Message -----
>>>>>From: Kris Benson <kbenson at sd57.bc.ca>
>>>>>Date: Friday, August 5, 2005 5:28 pm
>>>>>Subject: Re: different eap/tls config for different interfaces
>>>>>
>>>>>
>>>>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>>>>ragan_davis at colstate.edu wrote:
>>>>>>>    
>>>>>>>
>>>>>>>         
>>>>>>>
>>>>>>>              
>>>>>>>
>>>>>>>>If so, is it possible to have 2 different tls sections that 
>>>>>>>>           
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>service>>>>the 2 different interfaces?
>>>>   
>>>>
>>>>        
>>>>
>>>>>>>>      
>>>>>>>>
>>>>>>>>           
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>No.  FreeRADIUS supports only 1 TLS module at a time.
>>>>>>>    
>>>>>>>
>>>>>>>         
>>>>>>>
>>>>>>>              
>>>>>>>
>>>>>>What Alan forgot to mention is a solution.
>>>>>>
>>>>>>If you run two copies of the Radius server, with one bound to 
>>>>>>either a
>>>>>>different set of ports, or one to each IP, you could have 
>>>>>>       
>>>>>>
>>>>>>            
>>>>>>
>>>>separate 
>>>>   
>>>>
>>>>        
>>>>
>>>>>>configs.
>>>>>>-kb
>>>>>>--
>>>>>>Kris Benson, CCP, I.S.P.
>>>>>>Technical Analyst, District Projects
>>>>>>School District #57 (Prince George)
>>>>>>
>>>>>>- 
>>>>>>List info/subscribe/unsubscribe? See 
>>>>>>http://www.freeradius.org/list/users.html
>>>>>>  
>>>>>>
>>>>>>       
>>>>>>
>>>>>>            
>>>>>>
>>>>>- 
>>>>>List info/subscribe/unsubscribe? See 
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>http://www.freeradius.org/list/users.html>  
>>>>   
>>>>
>>>>- 
>>>>List info/subscribe/unsubscribe? See 
>>>>http://www.freeradius.org/list/users.html
>>>>   
>>>>
>>>>        
>>>>
>>>- 
>>>List info/subscribe/unsubscribe? See 
>>>      
>>>
>>http://www.freeradius.org/list/users.html>  
>>    
>>
>>- 
>>List info/subscribe/unsubscribe? See 
>>http://www.freeradius.org/list/users.html
>>    
>>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>  
>

More information about the Freeradius-Users mailing list