Makes sense. I'm doing EAP-TTLS with LDAP. I probably wouldn't need to define 2 diff ldap instances, since they'd both point to the same ldap server. However, I wonder if the ":=" operator would cause freeradius to ignore any other auth methods (such as ldap)? Doesn't that act as an "override" of sorts, or am I way off?
thanks! ----- Original Message ----- From: Michael Griego <[EMAIL PROTECTED]> Date: Monday, August 8, 2005 5:53 pm Subject: Re: different eap/tls config for different interfaces > By its Client-IP-Address attribute or NAS-IP-Address attribute. > > Also, you can use the Packet-Dst-IP-Address attribute if you're > certain > that the clients are split up by interface. You can match up > based on > incoming interface like you were thinking about doing with two > different > servers. So, if your server is listening on 10.0.0.1 and > 10.0.1.1, and > your EAP modules are named EAPauth1 and EAPauth2, you could do: > > DEFAULT Packet-Dst-IP-Address == 10.0.0.1, EAP-Message =* "", Auth- > Type > := EAPauth1 > > DEFAULT Packet-Dst-IP-Address == 10.0.1.1, EAP-Message =* "", Auth- > Type > := EAPauth2 > > This functionality may only be CVS snapshots, though. I'm not > sure as I > haven't looked to see if it exists in the production releases. > > --Mike > > [EMAIL PROTECTED] wrote: > > >Mike, > > > >Sounds good, thanks for the info. Just curious: In the dual eap- > tls > >configuration that you mentioned in the second paragraph, how > would > >the radius server know which one to use for a given client? > > > >thanks! > > > >----- Original Message ----- > >From: Michael Griego <[EMAIL PROTECTED]> > >Date: Friday, August 5, 2005 11:34 pm > >Subject: Re: different eap/tls config for different interfaces > > > > > > > >>After I'm done with the rlm_eap_tls rewrites and rlm_eap > updates, > >>there > >>will be functionality to have multiple EAP submodules of the > same > >>type > >>with different configurations. With this, you'll be able to > force > >>the > >>use of a specific EAP type instance by its instance name. > >> > >>In the meantime, if you want to avoid bringing up two servers, > you > >>*can* > >>configure two EAP module instances, each with a different tls > >>submodule > >>configuration. Force the Auth-Type to the EAP module with the > >>correct > >>tls configuration based on your criteria. I've used this > scenario > >>in > >>the past. > >> > >>--Mike > >> > >> > >>[EMAIL PROTECTED] wrote: > >> > >> > >> > >>>Oh...duh...that makes sense. Should have considered that. I > >>> > >>> > >>have since > >> > >> > >>>tested the behavior of the scenario I described, and Alan's on > >>> > >>> > >>target. > >> > >> > >>>Doesn't really seem to matter which interface I enter on, or which > >>>common-name I use. Seems to work either way. > >>> > >>>thanks for the help! > >>> > >>>----- Original Message ----- > >>>From: Kris Benson <[EMAIL PROTECTED]> > >>>Date: Friday, August 5, 2005 5:28 pm > >>>Subject: Re: different eap/tls config for different interfaces > >>> > >>> > >>> > >>> > >>> > >>>>>[EMAIL PROTECTED] wrote: > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>>If so, is it possible to have 2 different tls sections that > >>>>>> > >>>>>> > >>service>>>>the 2 different interfaces? > >> > >> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>No. FreeRADIUS supports only 1 TLS module at a time. > >>>>> > >>>>> > >>>>> > >>>>> > >>>>What Alan forgot to mention is a solution. > >>>> > >>>>If you run two copies of the Radius server, with one bound to > >>>>either a > >>>>different set of ports, or one to each IP, you could have > >>>> > >>>> > >>separate > >> > >> > >>>>configs. > >>>>-kb > >>>>-- > >>>>Kris Benson, CCP, I.S.P. > >>>>Technical Analyst, District Projects > >>>>School District #57 (Prince George) > >>>> > >>>>- > >>>>List info/subscribe/unsubscribe? See > >>>>http://www.freeradius.org/list/users.html > >>>> > >>>> > >>>> > >>>> > >>>- > >>>List info/subscribe/unsubscribe? See > >>> > >>> > >>http://www.freeradius.org/list/users.html> > >> > >> > >>- > >>List info/subscribe/unsubscribe? See > >>http://www.freeradius.org/list/users.html > >> > >> > >- > >List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html> > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
