basic handling of multiple EAP-Methods by freerad

Phil Mayers p.mayers at imperial.ac.uk
Tue Jun 27 11:27:24 CEST 2006 

Rainer Brinkmann wrote:
> Hello,
> 
> we wonder, how a freeradius can request a client to use a fixed EAP-Method:
> so its defined:
> Client starts with EAP-Start-Msg
> Radius wants EAP-Identity
> Client answers with Username or Hostname NOT using a special EAP-Method
> 
> Radius now starts communiucating with the first EAP-Packet, using the
> special EAP-Method

For this, it will use the default_eap_type

> 
> Question:
> 
> you run in your wireless LAN many SSIDs:
> SSID1 shall use EAP-TTLS
> SSID2 shall use EAP-TLS    (high-secured Net like personal Data)
> 
> what logic starts the right inner-EAP-Protocol, cause neither the
> AccessPoint(WLAN-Controller), nor the
> radius server know, what Method to use, when there are many enabled.
> 
> e.g. on a cisco-Radius, that runs with enabled PEAP and TLS, but there's no
> special attribute defined to control that

Yes there is. Set "EAP-Type" (see dictionary.freeradius.internal)

e.g.

DEFAULT	Your-SSID-AVP = "SSID1", EAP-Type := EAP-TTLS

DEFAULT Your-SSID-AVP = "SSID2", EAP-Type := EAP-TLS

Note however, the client can still NAK the radius server and request a 
different type, and the radius server will allow that. To prevent that, 
you'd need to run >1 instance of the eap module and disable the other 
eap types. The following is untested and may not work for various 
reasons, but is worth a try:

modules {
   eap eap_ttlsonly {
     default_eap_type = ttls
     # only define one eap sub-module
     ttls {
       # stuff
     }
   }

   eap eap_tlsonly {
     default_eap_type = tls
     # only define one eap sub-module
     tls {
       # stuff
     }
   }
}

authorize {
   preprocess
   users
   Autz-Type TTLS-only {
     eap_ttlsonly
   }
   Autz-Type TLS-only {
     eap_tlsonly
   }
}
authenticate {
   Auth-Type TTLS-only {
     eap_ttlsonly
   }
   Auth-Type TLS-only {
     eap_tlsonly
   }
}

...the in "users":

DEFAULT SSID = "ssid1", Autz-Type := TTLS-only, Auth-Type := TTLS-only

DEFAULT SSID = "ssid2", Autz-Type := TLS-only, Auth-Type := TLS-only

> 
> 
> thanks for reply,
> Rainer Brinkmann
> 
> University-Clinicum Hamburg / Germany
> 
> 
> 
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list