Migration -> FR3 + CiscoAPs + Multiple SSID+ EAP-TLS +, Multiple Certs
Alan DeKok
aland at deployingradius.com
Thu Nov 29 18:43:29 CET 2018
On Nov 29, 2018, at 12:20 PM, Ted Hyde (RSI) <thyde at rndstudio.com> wrote:
> Alan thank you - from a pseudo-code level, what I am therefore looking for is:
>
> if (MAC_LIMITED-SSID && EAP-CERT-01)
> {
> check eap valid cert "EAP-CERT-01"
That should happen automatically with the EAP module.
> look up MAC
> if !known MAC reject
> if blocked MAC reject
> (inferred tail deny)
The server doesn't reject users by default it rejects *unknown* users.
> }
> else if (OPEN-SSID && EAP-CERT-02)
> {
> check eap valid cert "EAP-CERT-02"
> accept
> (inferred tail deny)
> }
>
> I am not looking to manage an implicit blocking list for OPEN-SSID; if the client has the *appropriate* cert (designated for OPEN-SSID), and they associate with OPEN-SSID, then they should be accepted. I do want to maintain two separate certs each intended to match against their designated SSIDs.
Sure. What you're looking for then, is more this:
authorize {
...
eap
...
}
authenticate {
...
eap
...
}
post-auth {
...
if (MAC_LIMITED-SSID && EAP-CERT-01)
{
look up MAC
if !known MAC reject
if blocked MAC reject
}
...
}
Which is pretty simple. That assumes that both client certs are issued by the same CA.
Alan DeKok.
More information about the Freeradius-Users
mailing list