deployment with two completely different sets of certificates

Matthew Newton mcn at
Wed Nov 8 09:37:29 UTC 2023

On 07/11/2023 20:33, Marek Zarychta wrote:
>   So far I  have extended mods-enabled/eap and have there:
> eap eap1 {
> old realm / without realm settings
> }
> eap eap2 {
> new realm settings
> }
> eap {
> old realm / without realm settings
> }

"eap" is just a duplicate of "eap1" then? It sounds like you don't need it.

> then added to sites-enabled/old.realm:
>          if ((User-Name =~ /new\.realm$/) || ( Inner-Realm-Name =~ 
> /new\.realm$/)) {

You don't have access to any inner details in the outer section, so that 
won't work.

>                update control {
>                    Auth-Type := eap2
>                  }
>          }

No, don't set Auth-Type. All the documentation says to never set Auth-Type.

Call the appropriate eap module, something like


   if (&Stripped-User-Domain == "new.realm") {
     eap2 {
       ok = return
   else {
     eap1 {
       ok = return

and comment out the existing "eap" call.

You'll need to add "eap1" and "eap2" to the authenticate{} section, too. 
And also copy sites-enabled/inner-tunnel to two different files, and 
configure the eap modules to use their own particular one that calls the 
appropriate eap1/2 module as well.

> but the authentications though successful, are still handled by eap1:

Yes, beacuse you're modifying Auth-Type when the eap module should be 
doing it.

> So I am stuck. Please, any clues helping to proceed this further will be 
> appreciated.

Don't try and use one shared eap module, you need to make sure 
everything is split into two and always calls the appropriate one.


More information about the Freeradius-Users mailing list