2 Certs for 2 SSID (802.1x)
C.F. Yeung
yeungcf at gmail.com
Thu May 17 06:07:45 CEST 2012
I have added a new eap_new with the other cert in eap.conf and tried the
unlang policy. But, it still goes to my existing eap/cert. MAC address and
IP are masked by x.
+- entering group authorize {...}
++? if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam")
? Evaluating (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") -> TRUE
++? if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") -> TRUE
++- entering if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") {...}
[eap_new] EAP packet type response id 5 length 253
[eap_new] Continuing tunnel setup.
+++[eap_new] returns ok
++- if (Called-Station-Id == "xx-xx-xx-xx-xx-xx:eduroam") returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = eap_new
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user 'testuser'
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 222 to x.x.x.x port 1814
EAP-Message =
0x0106004119001403010001011603010030b28ae1644d58446a53a87038624720d385694e46bdc3ed64cc1db984d2b701c2c108d53dd42f6b1cda054ca078d222ec
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x96c69e6392c08707519378ef521f03bb
Proxy-State = 0x3637
Finished request 4.
On Wed, May 16, 2012 at 11:46 PM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:
> On 16/05/12 16:29, C.F. Yeung wrote:
>
>> We have 2 SSL Certs for two SSID (802.1x). How can my freeradius server
>> present wifi clients the cert based on SSID? Should I have two eap.conf?
>>
>
> Yes. Configure the two "eap" modules with different names e.g.
>
> eap eap_cert1 {
> ...
> }
> eap eap_cert2 {
> ...
> }
>
> ...and then configure your radius server to run the appropriate eap
> module. Two choices for this:
>
> 1. If your wireless equipment allows it, configure each SSID with
> different radius server IP/ports. Then make FreeRADIUS listen on different
> ports like so:
>
> listen {
> type = auth
> ipaddr = *
> port = 18000
> virtual_server = server1
> }
> server server1 {
> authorize {
> ...
> eap_cert1
> }
> authenticate {
> ...
> eap_cert1
> }
> }
>
> # repeat for cert1/eap2
>
> 2. Use "unlang" policies to match on SSID e.g. (untested)
>
> authorize {
> if (My-SSID == SSID1) {
> eap_cert1
> }
> elsif (My-SSID == SSID2) {
> eap_cert2
> }
> }
> authenticate {
> ...
> eap_cert1
> eap_cert2
> }
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120517/5cb7da94/attachment-0001.html>
More information about the Freeradius-Users
mailing list