eap-tls with valid and fake certificates.

Fri Jan 17 12:06:25 CET 2020

Hello,

>> Hello !  The Idea is to authenticate users with eap-tls with
>> certficates. People without any certificate should use different vlan
>> provided by Radius. Only supported authentication should be eap-
>> tls.  Is it possible to make authentication with eap-tls with
>> certficates for valid users and some "guest vlan" for users
>> which hasnt any or unknown certificates ?

> It's not possible. If the device doesn't present a valid certificate,
> it won't authenticate. You can't force an "Accept" with EAP methods.

Really? Couldn't you branch the processing based on the outer ID?
Let all your well-managed users present some special outer id
and treat the rest differently.

Like in radiusd.conf, you do
   if ( &User-Name == "my-fancy-outer-id at my-institution.org") {
        eap { ok = return }
     } else {
        [do other stuff]
   }

In the users file, make sure the every bunch of users gets the correct
reply items, i.e. Tunnel-Private-Group-ID etc.
The "Other stuff" section could be ommitted, then default processing goes on.
Or you could call an alternate eap config here you have prepared in the eap module configuration.
This setup would seem a bit shaky, though: A mistake in the users file could easily
bring the internal VLAN to your guests.

But then, you could branch even earlier by proxying different outer IDs
to different virtual servers, right? Only this time, the decision would be
based on the realm part of the outer ID.

Cheers, Martin

-- 
   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5393 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20200117/805ae6bf/attachment.bin>