Is WLAN IEEE802.1x EAP-TLS authentication with ESSID selection possible?

Michael Schwartzkopff misch at multinet.de
Wed Apr 1 13:55:27 CEST 2009


Am Mittwoch, 1. April 2009 13:43:30 schrieb Ulf Leichsenring:
> Hi FreeRADIUS user community
>
> I'm in search for some ideas for the following situation:
>
> Given are several WLANS controlled by a Siemens Hipath C2400 WLAN
> Controller with Siemens APs. The controller provides different WLANs
> identified by different ESSIDs. All WLAN Clients use IEEE802.1x
> authentication with EAP-TLS and client certificates.
> The authentication is done by FreeRADIUS 1.0.1 on Redhat EL AS4.
>
> At the moment, all clients use certificates and inside the FreeRADIUS
> eap-tls section the ca certificates are trusted.
> All Windows clients use a MS CA an have certificates with the Windows
> system name as the certificates common name. Other devices like mobile
> scanners or WLAN mobile phones (VoIP) have manually generated
> certificates with the device type as the certificates common name like
> "phone", "mobile scanner" or else.
> So long, it works.
>
> But now I was asked if it is possible to restrict the association of
> several device types to defined ESSIDs. There shoul be a WLAN "office"
> where all devices are allowed to connect if they have a valid certificate.
> Other ESSIDs should only accept special devices, eg. only devices with
> the certificates common name "phone" should be allowed to connect to the
> ESSID "voice".
>
> I know, the Siemens controller is able to send the ESSID the device is
> trying to connect inside the RADIUS request as vendor specific attribute.
>
> Is it possible with FreeRADIUS to match these requirements? To select
> based on the ESSID the device is connecting to?
> If the connecting ESSID is "office", all devices with a valid
> certificate are allowed to connect.
> If the ESSID is "voice", only devices with a valid certificate and with
> a certificates common name that contains "*phone*" are allowed to connect.
> If the ESSID is "production-1", only devices with a valid certificate
> and with a certificates common name that contains "*mobile scanner*" are
> allowed to connect.
>
> I've googled a lot, without success. All Freeradius documentation I've
> found about eap-tls only descibes how to accept all devices with a valid
> certificate.
> I've seen this scenario running with commercial RADIUS servers but I
> guess it might also be possible using FreeRADIUS.
>
> Any tip oder idea is welcome.

Hi,

1) Upgrade to an actual version of FR. 2.1.4 should do.

2) Edit your dictionary so that your FR understands the Siemens vendor spec 
attributes.

3) create a unlang (only FR version 2!) config to also check for the new essid 
attribute and according group membership should do the job.

Greetings,

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
Tel: +49 - 89 - 45 69 11 0
Fax: +49 - 89 - 45 69 11 21
mob: +49 - 174 - 343 28 75

mail: misch at multinet.de
web: www.multinet.de

Sitz der Gesellschaft: 85630 Grasbrunn
Registergericht: Amtsgericht München HRB 114375
Geschäftsführer: Günter Jurgeneit, Hubert Martens

---

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42




More information about the Freeradius-Users mailing list