Hi FreeRADIUS user community I'm in search for some ideas for the following situation:
Given are several WLANS controlled by a Siemens Hipath C2400 WLAN Controller with Siemens APs. The controller provides different WLANs identified by different ESSIDs. All WLAN Clients use IEEE802.1x authentication with EAP-TLS and client certificates. The authentication is done by FreeRADIUS 1.0.1 on Redhat EL AS4. At the moment, all clients use certificates and inside the FreeRADIUS eap-tls section the ca certificates are trusted. All Windows clients use a MS CA an have certificates with the Windows system name as the certificates common name. Other devices like mobile scanners or WLAN mobile phones (VoIP) have manually generated certificates with the device type as the certificates common name like "phone", "mobile scanner" or else. So long, it works. But now I was asked if it is possible to restrict the association of several device types to defined ESSIDs. There shoul be a WLAN "office" where all devices are allowed to connect if they have a valid certificate. Other ESSIDs should only accept special devices, eg. only devices with the certificates common name "phone" should be allowed to connect to the ESSID "voice". I know, the Siemens controller is able to send the ESSID the device is trying to connect inside the RADIUS request as vendor specific attribute. Is it possible with FreeRADIUS to match these requirements? To select based on the ESSID the device is connecting to? If the connecting ESSID is "office", all devices with a valid certificate are allowed to connect. If the ESSID is "voice", only devices with a valid certificate and with a certificates common name that contains "*phone*" are allowed to connect. If the ESSID is "production-1", only devices with a valid certificate and with a certificates common name that contains "*mobile scanner*" are allowed to connect. I've googled a lot, without success. All Freeradius documentation I've found about eap-tls only descibes how to accept all devices with a valid certificate. I've seen this scenario running with commercial RADIUS servers but I guess it might also be possible using FreeRADIUS. Any tip oder idea is welcome. -- Ulf Leichsenring u...@leichsenring.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html