deployment with two completely different sets of certificates

Marek Zarychta zarychtam at plan-b.pwste.edu.pl
Wed Nov 8 19:28:23 UTC 2023


W dniu 8.11.2023 o 10:37, Matthew Newton via Freeradius-Users pisze:
>
>
> On 07/11/2023 20:33, Marek Zarychta wrote:
>>   So far I  have extended mods-enabled/eap and have there:
>>
>> eap eap1 {
>> old realm / without realm settings
>> }
>> eap eap2 {
>> new realm settings
>> }
>> eap {
>> old realm / without realm settings
>> }
>
> "eap" is just a duplicate of "eap1" then? It sounds like you don't 
> need it.
>
>>
>> then added to sites-enabled/old.realm:
>>
>>          if ((User-Name =~ /new\.realm$/) || ( Inner-Realm-Name =~ 
>> /new\.realm$/)) {
>
> You don't have access to any inner details in the outer section, so 
> that won't work.
>
>>                update control {
>>                    Auth-Type := eap2
>>                  }
>>          }
>
> No, don't set Auth-Type. All the documentation says to never set 
> Auth-Type.
>
> Call the appropriate eap module, something like
>
>   split_username_nai
>
>   if (&Stripped-User-Domain == "new.realm") {
>     eap2 {
>       ok = return
>     }
>   }
>   else {
>     eap1 {
>       ok = return
>     }
>   }
>
> and comment out the existing "eap" call.
>
> You'll need to add "eap1" and "eap2" to the authenticate{} section, 
> too. And also copy sites-enabled/inner-tunnel to two different files, 
> and configure the eap modules to use their own particular one that 
> calls the appropriate eap1/2 module as well.
>
>> but the authentications though successful, are still handled by eap1:
>
> Yes, beacuse you're modifying Auth-Type when the eap module should be 
> doing it.
>
>> So I am stuck. Please, any clues helping to proceed this further will 
>> be appreciated.
>
>
> Don't try and use one shared eap module, you need to make sure 
> everything is split into two and always calls the appropriate one. 


Thank you Matthew,

your tips were invaluable as always. The configuration was fixed and now 
the whole solution works as intended.

-- 
Marek Zarychta



More information about the Freeradius-Users mailing list