realm matching and multiple eap types

Ivan Kalik tnt at kalik.net
Mon Aug 3 16:57:08 CEST 2009


> I have a running FreeRADIUS installation (v 1.1.3-1.4  - as supplied by
> Red Hat)

Upgrade. This is easy to do with unlang in 2.x.

http://wiki.freeradius.org/Red_Hat_FAQ

> I do however need to add in certficate based authentication for a pool
> of loan laptops which will not be using local auth (at the laptop end
> and will be dealt with elsewhere with the services that they access) and
> this is proving problematic and leaves me with some questions:
>
> 1. since the user names on these pool machines are likely to be of the
> form: host/testlaptop.another.domain  - how can I ensure that I match
> the domain entry since there is no '@' in the user name?  ie drop the
> host/testlaptop and just leave me with .another.domain

Use unlang to set Realm with regex.

> 2. how do I configure an additional an tls type within eap using a
> different set of certificates? These laptops will have autogenerated
> certs installed that point back to a root CA within a Windows Domain, I
> already have certs installed based around the NRPS but for these laptops
> we will be using our own CA cert which will not be signed off elsewhere
> - but we can at least install the CA cert onto the laptops as part of
> the build to fix up the trust relationships.

You configure a second eap instance with certificates by Windows CA. Then
use unlang to choose which eap instance to select.

> Or assuming that I can get 1 (above) working, am I better off just
> proxing the entire auth request onto another radius server? Which does I
> admit seem a little overkill.

This can be done with a single server if you upgrade. If you don't wan't
to upgrade use regex in users file to proxy requests to second server that
will have certificates from Windows CA.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list