802.1x/EAP-TLS and MAC authentication via SQL with dynamic VLANs
PENZ Robert
ROBERT.PENZ at TIROL.GV.AT
Thu Mar 22 15:24:41 CET 2012
Hi!
We've currently a MAC authentication running with dynamic VLANs via SQL for wired clients. We return the wished VLAN for the client by using the SQL function authorize_reply_query. We now want to add 802.1x EAP-TLS as supported authentication method. I got the setup sofar that I'm able to authenticated a client which supports it via 802.1x and the others as fallback with MAC. With MAC auth everything works but with 802.1x I'm not able to return the VLAN the switch should use. How can I tell freeradius to make a sql lookup for the reply values? And how can I use the CN of the certificate in the SQL query? I believe I need one query for MAC and one for EAP-TLS, as for one I search for the MAC address and in the other the CN ... correct?
The last question is more general. How do I get the mac address for a client that is authenticating with EAP-TLS, would like to add this to the sqllog? Thx for your help!
I'm using freeradius2-2.1.7-7.el5 on rhel5 with following config
authorize {
eap {
ok = return
}
redundant {
sql
do_not_respond #send nothing to the switch if sql fails, another server will take over
}
if (ok) {
update control {
Auth-Type := Accept
}
# 'handled' does not work here
ok = return
}
}
Mit freundlichen Grüßen
Robert Penz
----------------------------------------------------
Dipl. Inf. Robert Penz
DVT-Daten-Verarbeitung-Tirol GmbH
Adamgasse 22, 6020 Innsbruck
Tel: +43 512 508 3334 / Fax: +43 512 508 3355
eMail: robert.penz at tirol.gv.at
More information about the Freeradius-Users
mailing list