deployment with two completely different sets of certificates
Matthew Newton
mcn at freeradius.org
Wed Nov 8 09:37:29 UTC 2023
On 07/11/2023 20:33, Marek Zarychta wrote:
> So far I have extended mods-enabled/eap and have there:
>
> eap eap1 {
> old realm / without realm settings
> }
> eap eap2 {
> new realm settings
> }
> eap {
> old realm / without realm settings
> }
"eap" is just a duplicate of "eap1" then? It sounds like you don't need it.
>
> then added to sites-enabled/old.realm:
>
> if ((User-Name =~ /new\.realm$/) || ( Inner-Realm-Name =~
> /new\.realm$/)) {
You don't have access to any inner details in the outer section, so that
won't work.
> update control {
> Auth-Type := eap2
> }
> }
No, don't set Auth-Type. All the documentation says to never set Auth-Type.
Call the appropriate eap module, something like
split_username_nai
if (&Stripped-User-Domain == "new.realm") {
eap2 {
ok = return
}
}
else {
eap1 {
ok = return
}
}
and comment out the existing "eap" call.
You'll need to add "eap1" and "eap2" to the authenticate{} section, too.
And also copy sites-enabled/inner-tunnel to two different files, and
configure the eap modules to use their own particular one that calls the
appropriate eap1/2 module as well.
> but the authentications though successful, are still handled by eap1:
Yes, beacuse you're modifying Auth-Type when the eap module should be
doing it.
> So I am stuck. Please, any clues helping to proceed this further will be
> appreciated.
Don't try and use one shared eap module, you need to make sure
everything is split into two and always calls the appropriate one.
--
Matthew
More information about the Freeradius-Users
mailing list