Rainer Brinkmann wrote:
Hello,
we wonder, how a freeradius can request a client to use a fixed EAP-Method:
so its defined:
Client starts with EAP-Start-Msg
Radius wants EAP-Identity
Client answers with Username or Hostname NOT using a special EAP-Method
Radius now starts communiucating with the first EAP-Packet, using the
special EAP-Method
For this, it will use the default_eap_type
Question:
you run in your wireless LAN many SSIDs:
SSID1 shall use EAP-TTLS
SSID2 shall use EAP-TLS (high-secured Net like personal Data)
what logic starts the right inner-EAP-Protocol, cause neither the
AccessPoint(WLAN-Controller), nor the
radius server know, what Method to use, when there are many enabled.
e.g. on a cisco-Radius, that runs with enabled PEAP and TLS, but there's no
special attribute defined to control that
Yes there is. Set "EAP-Type" (see dictionary.freeradius.internal)
e.g.
DEFAULT Your-SSID-AVP = "SSID1", EAP-Type := EAP-TTLS
DEFAULT Your-SSID-AVP = "SSID2", EAP-Type := EAP-TLS
Note however, the client can still NAK the radius server and request a
different type, and the radius server will allow that. To prevent that,
you'd need to run >1 instance of the eap module and disable the other
eap types. The following is untested and may not work for various
reasons, but is worth a try:
modules {
eap eap_ttlsonly {
default_eap_type = ttls
# only define one eap sub-module
ttls {
# stuff
}
}
eap eap_tlsonly {
default_eap_type = tls
# only define one eap sub-module
tls {
# stuff
}
}
}
authorize {
preprocess
users
Autz-Type TTLS-only {
eap_ttlsonly
}
Autz-Type TLS-only {
eap_tlsonly
}
}
authenticate {
Auth-Type TTLS-only {
eap_ttlsonly
}
Auth-Type TLS-only {
eap_tlsonly
}
}
...the in "users":
DEFAULT SSID = "ssid1", Autz-Type := TTLS-only, Auth-Type := TTLS-only
DEFAULT SSID = "ssid2", Autz-Type := TLS-only, Auth-Type := TLS-only
thanks for reply,
Rainer Brinkmann
University-Clinicum Hamburg / Germany
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html