EAP-TLS with different CA per user?

Frank Sweetser fs at WPI.EDU
Sun Jun 8 17:18:22 CEST 2008


Alan DeKok wrote:
> Frank Sweetser wrote:
>> The usernames currently don't have a domain portion.  Would it be possible for
>> me to set a default domain for a given username?  (The list is small, so would
>> be manageable for me.)  And if so, could you give me at least a rough example
>> of how I would set this up?
> 
>   You can configure two different versions of the EAP module.  Each one
> has it's own server cert && CA.  Then, in the "authorize" section, do:
> 
> authorize {
> 	...
> 	if (User-Name == "user1") {
> 		eap_1
> 	}
> 	elsif (User-Name == "user2") {
> 		eap_2
> 	}
> 	...
> 
> }
> 
> authenticate {
> 	...
> 	eap_1
> 	eap_2
> 	...
> }
> 
>   That should work.

That looks exactly like what I was looking for - thanks!  I'll give this a
shot on Monday and report back on how it worked...

-- 
Frank Sweetser fs at wpi.edu  |  For every problem, there is a solution that
WPI Senior Network Engineer   |  is simple, elegant, and wrong. - HL Mencken
    GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC



More information about the Freeradius-Users mailing list