Re: basic handling of multiple EAP-Methods by freerad

Tue, 27 Jun 2006 02:41:57 -0700 

Rainer Brinkmann wrote:

Hello,

we wonder, how a freeradius can request a client to use a fixed EAP-Method:
so its defined:
Client starts with EAP-Start-Msg
Radius wants EAP-Identity
Client answers with Username or Hostname NOT using a special EAP-Method

Radius now starts communiucating with the first EAP-Packet, using the
special EAP-Method


For this, it will use the default_eap_type



Question:

you run in your wireless LAN many SSIDs:
SSID1 shall use EAP-TTLS
SSID2 shall use EAP-TLS    (high-secured Net like personal Data)

what logic starts the right inner-EAP-Protocol, cause neither the
AccessPoint(WLAN-Controller), nor the
radius server know, what Method to use, when there are many enabled.

e.g. on a cisco-Radius, that runs with enabled PEAP and TLS, but there's no
special attribute defined to control that


Yes there is. Set "EAP-Type" (see dictionary.freeradius.internal)

e.g.

DEFAULT Your-SSID-AVP = "SSID1", EAP-Type := EAP-TTLS

DEFAULT Your-SSID-AVP = "SSID2", EAP-Type := EAP-TLS
Note however, the client can still NAK the radius server and request a different type, and the radius server will allow that. To prevent that, you'd need to run >1 instance of the eap module and disable the other eap types. The following is untested and may not work for various reasons, but is worth a try: 

modules {
  eap eap_ttlsonly {
    default_eap_type = ttls
    # only define one eap sub-module
    ttls {
      # stuff
    }
  }

  eap eap_tlsonly {
    default_eap_type = tls
    # only define one eap sub-module
    tls {
      # stuff
    }
  }
}

authorize {
  preprocess
  users
  Autz-Type TTLS-only {
    eap_ttlsonly
  }
  Autz-Type TLS-only {
    eap_tlsonly
  }
}
authenticate {
  Auth-Type TTLS-only {
    eap_ttlsonly
  }
  Auth-Type TLS-only {
    eap_tlsonly
  }
}

...the in "users":

DEFAULT SSID = "ssid1", Autz-Type := TTLS-only, Auth-Type := TTLS-only

DEFAULT SSID = "ssid2", Autz-Type := TLS-only, Auth-Type := TLS-only




thanks for reply,
Rainer Brinkmann

University-Clinicum Hamburg / Germany
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to