Conditional EAP Type Acceptance

[Mike DiBella]

I have FR set up to authenticate based EAP-TLS certificate and authorize based on finding an object in LDAP where Calling-Station-Id from the supplicant is equal to an attribute containing the WLAN MAC address, and an additional compliance attribute is equal to zero.    This allows me to only accept requests from managed devices that are policy compliant.

Now I need to add a way to accept requests from guest devices.

So I would need to break the LDAP check into two parts.   First, if an object exists where the MAC attribute matches the request Calling-Station-Id , authenticate by EAP-TLS.   If authenticated, accept the request if the compliance attribute is zero.

If the MAC address is not found, authenticate using PEAP.   Accept on credential match.    I only need a few guest accounts, so I'd load them in a simple store.   Which backend would be most suited for the PEAP accounts?      I'd want to be able to rotate the guest account passwords periodically without much fuss.