Implementing Dynamic Interface Group Assignment with Cisco WLC
Clement Ogedengbe
c.ogedengbe at worc.ac.uk
Wed Apr 6 13:06:04 CEST 2016
Hi,
Does anyone have any idea about what attribute to use to return parameter to Cisco WLC for Interface group assignment instead of Tunnel-Private-Group-Id which just returned the VLAN ID.
Best Regards
Clement
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+c.ogedengbe=worc.ac.uk at lists.freeradius.org] On Behalf Of Stefan Winter
Sent: 06 April 2016 08:31
To: freeradius-users at lists.freeradius.org
Subject: Re: using SSL certs with EAP-TLS
Hi,
>> No. If your server certificate is from a CA, the client can verify
>> that your server is genuine (if the client side is configured
>> correctly to actually check CA and server name).
> With using client: you mean the RADIUS explanation of client? Like the
> Access Point? or the WLAN device, like a smartphone?
In this context, I meant the WLAN device.
>> Since there's no need to go down that route: don't. Issue client
>> certificates from your own self-signed CA, and hand out client certs
>> only to your own account holders. Then, no further checks are needed.
> Ok, thanks. I will reconsider. It's not that I am too lame to generate
> new certs and then import them to a handful devices. It's more that I
> like it that the same client cert in iOS can be used for S/MIME and
> for auth with WPA2 Enterprise.
Ah, well that's a reason for using a commercial CA for the client certs indeed. As others have pointed out, attributes like TLS-Client-Cert-CN can be used to compare the cert name against a list of known-good names.
Of course you'll have to manage that list of names yourself in config; on a scale of "handful" that's not a problem I guess. But on a larger scale, it will get bothersome.
Greetings,
Stefan Winter
>
>> Yes. There are examples in the shipped tarball of FreeRADIUS for that
>> I think. That does not mean that it's the best idea to go down that route.
> I'll look into that (I think it has something to do with the by Alan
> suggested check_cert_cn).
>
>> When you write above that you can use whatever string you like then
>> probably you didn't try this at a remote hotspot. :-)
> Thats correct :D. In fact, last week was the first time I experienced
> WPA2 Enterprise and only with one (my own) AP.
>
> Cheers!
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list