how to disable a particular EAP type in freeradius2 for a particular ESSID ?

Phil Mayers p.mayers at imperial.ac.uk
Fri Feb 10 12:57:54 CET 2012


On 10/02/12 11:33, Riccardo Veraldi wrote:
> Hello,
> I have a radius infrastructure with multiple ESSID.
> in particular I have the eduroam ESSID and another local ESSID.
> They are managed by my freeradius2 server with 2 virtual-server
> instances, one for eduroam and the other for my local ESSID.
> Both are 802.1x infrastructures.
>
> I have always been disabling EAP-TLS in my local infrastructure writing
> this in the users file
>
> DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject
>
> but now I need EAP-TLS to be avaliable for eduroam and I do not like the
> solution to have a completely different radius server,

If you have an "eduroam" SSID, what's going to stop your users 
connecting to that, and using EAP-TLS?

> I wanted to do it with only one freeradius server with virtual server
> configuration.
>
> Thus I need to enable EAP-TLS for eduroam and disable EAP-TLS for my
> local SSID.

Does your wireless platform let you set different radius servers 
per-SSID? If so, you can run a FreeRADIUS virtual server on separate ports.

>
> How is possible to do this on freeradius2 ?

  1. Define two virtual servers
  2. Have them listen on different ports
  3. Set the radius servers for the two SSIDs to the relevant ports
  4. Write a different policy in each virtual server



More information about the Freeradius-Users mailing list