>> - Have two instances of the EAP module (one for >> internal SSIDs and one for guest) and select >> which one to use with some unlang code (based upon >> the value of 1 request attribute) > >That should work.
I'm having trouble getting this to work. I added the following to my authorize section: # Extract SSID into SSID-Name attribute if (Cisco-AVPair =~ /ssid=(.*)/) { update request { SSID-Name = "%{1}" } } # Select appropriate EAP instance if (SSID-Name) { if (SSID-Name == "XX-Barcode") { eap-internal } elsif (SSID-Name == "EE-Barcode") { eap-internal } else { eap-comodo } } else { eap-comodo } I have two instances in modules/eap that are identical except for the certificate_file and key_file. When I try to connect, I see the following in the debug output (I can provide more if needed, but I think this will Illustrate what's happening). I then tried using the same certificate & key file and still received the same error: Fri Jul 24 12:25:27 2009 : Info: ++? if (SSID-Name) Fri Jul 24 12:25:27 2009 : Info: ? Evaluating (SSID-Name) -> FALSE Fri Jul 24 12:25:27 2009 : Info: ++? if (SSID-Name) -> FALSE Fri Jul 24 12:25:27 2009 : Info: ++- entering else else {...} Fri Jul 24 12:25:27 2009 : Info: [eap-comodo] EAP packet type response id 2 length 18 Fri Jul 24 12:25:27 2009 : Info: [eap-comodo] No EAP Start, assuming it's an on-going EAP conversation Fri Jul 24 12:25:27 2009 : Info: +++[eap-comodo] returns fail Fri Jul 24 12:25:27 2009 : Info: ++- else else returns fail Fri Jul 24 12:25:27 2009 : Auth: Invalid user: [BGAS\\xxxxxxxx] (from client abcd1-ab-wc01 port 1 cli 00-16-6F-16-F5-64) Fri Jul 24 12:25:27 2009 : Info: Using Post-Auth-Type Reject Fri Jul 24 12:25:27 2009 : Info: +- entering group REJECT {...} So, what causes the eap module to return "fail". There are no other messages indicating why it is failing (that I see). Here's output at startup showing that both were instantiated: Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-internal Fri Jul 24 12:25:18 2009 : Debug: eap eap-internal { Fri Jul 24 12:25:18 2009 : Debug: default_eap_type = "peap" Fri Jul 24 12:25:18 2009 : Debug: timer_expire = 60 Fri Jul 24 12:25:18 2009 : Debug: ignore_unknown_eap_types = no Fri Jul 24 12:25:18 2009 : Debug: cisco_accounting_username_bug = no Fri Jul 24 12:25:18 2009 : Debug: max_sessions = 2048 Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_leap Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-leap Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_tls Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-tls Fri Jul 24 12:25:18 2009 : Debug: tls { Fri Jul 24 12:25:18 2009 : Debug: rsa_key_exchange = no Fri Jul 24 12:25:18 2009 : Debug: dh_key_exchange = yes Fri Jul 24 12:25:18 2009 : Debug: rsa_key_length = 512 Fri Jul 24 12:25:18 2009 : Debug: dh_key_length = 512 Fri Jul 24 12:25:18 2009 : Debug: verify_depth = 0 Fri Jul 24 12:25:18 2009 : Debug: pem_file_type = yes Fri Jul 24 12:25:18 2009 : Debug: private_key_file = "/usr/local/etc/raddb/certs/ra01-roch1-tst-internal.pem" Fri Jul 24 12:25:18 2009 : Debug: certificate_file = "/usr/local/etc/raddb/certs/ra01-roch1-tst-internal.pem" Fri Jul 24 12:25:18 2009 : Debug: private_key_password = "xxxxxxxx" Fri Jul 24 12:25:18 2009 : Debug: dh_file = "/usr/local/etc/raddb/certs/dh" Fri Jul 24 12:25:18 2009 : Debug: random_file = "/usr/local/etc/raddb/certs/random" Fri Jul 24 12:25:18 2009 : Debug: fragment_size = 1024 Fri Jul 24 12:25:18 2009 : Debug: include_length = yes Fri Jul 24 12:25:18 2009 : Debug: check_crl = no Fri Jul 24 12:25:18 2009 : Debug: cipher_list = "DEFAULT" Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_peap Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-peap Fri Jul 24 12:25:18 2009 : Debug: peap { Fri Jul 24 12:25:18 2009 : Debug: default_eap_type = "mschapv2" Fri Jul 24 12:25:18 2009 : Debug: copy_request_to_tunnel = yes Fri Jul 24 12:25:18 2009 : Debug: use_tunneled_reply = no Fri Jul 24 12:25:18 2009 : Debug: proxy_tunneled_request_as_eap = yes Fri Jul 24 12:25:18 2009 : Debug: virtual_server = "inner-tunnel" Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_mschapv2 Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-mschapv2 Fri Jul 24 12:25:18 2009 : Debug: mschapv2 { Fri Jul 24 12:25:18 2009 : Debug: with_ntdomain_hack = no Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: Module: Checking authorize {...} for more modules to load Fri Jul 24 12:25:18 2009 : Debug: (Loaded rlm_preprocess, checking if it's valid) Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to module rlm_preprocess Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating preprocess Fri Jul 24 12:25:18 2009 : Debug: preprocess { Fri Jul 24 12:25:18 2009 : Debug: huntgroups = "/usr/local/etc/raddb/huntgroups" Fri Jul 24 12:25:18 2009 : Debug: hints = "/usr/local/etc/raddb/hints" Fri Jul 24 12:25:18 2009 : Debug: with_ascend_hack = no Fri Jul 24 12:25:18 2009 : Debug: ascend_channels_per_line = 23 Fri Jul 24 12:25:18 2009 : Debug: with_ntdomain_hack = no Fri Jul 24 12:25:18 2009 : Debug: with_specialix_jetstream_hack = no Fri Jul 24 12:25:18 2009 : Debug: with_cisco_vsa_hack = yes Fri Jul 24 12:25:18 2009 : Debug: with_alvarion_vsa_hack = no Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: (Loaded rlm_realm, checking if it's valid) Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to module rlm_realm Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating ntdomain Fri Jul 24 12:25:18 2009 : Debug: realm ntdomain { Fri Jul 24 12:25:18 2009 : Debug: format = "prefix" Fri Jul 24 12:25:18 2009 : Debug: delimiter = "\" Fri Jul 24 12:25:18 2009 : Debug: ignore_default = no Fri Jul 24 12:25:18 2009 : Debug: ignore_null = no Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: (Loaded rlm_attr_rewrite, checking if it's valid) Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to module rlm_attr_rewrite Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating machine_UserName Fri Jul 24 12:25:18 2009 : Debug: attr_rewrite machine_UserName { Fri Jul 24 12:25:18 2009 : Debug: attribute = "User-Name" Fri Jul 24 12:25:18 2009 : Debug: searchfor = "^host/(.*).energyeast.net" Fri Jul 24 12:25:18 2009 : Debug: searchin = "packet" Fri Jul 24 12:25:18 2009 : Debug: replacewith = "%{1}$" Fri Jul 24 12:25:18 2009 : Debug: append = no Fri Jul 24 12:25:18 2009 : Debug: ignore_case = yes Fri Jul 24 12:25:18 2009 : Debug: new_attribute = no Fri Jul 24 12:25:18 2009 : Debug: max_matches = 1 Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-comodo Fri Jul 24 12:25:18 2009 : Debug: eap eap-comodo { Fri Jul 24 12:25:18 2009 : Debug: default_eap_type = "peap" Fri Jul 24 12:25:18 2009 : Debug: timer_expire = 60 Fri Jul 24 12:25:18 2009 : Debug: ignore_unknown_eap_types = no Fri Jul 24 12:25:18 2009 : Debug: cisco_accounting_username_bug = no Fri Jul 24 12:25:18 2009 : Debug: max_sessions = 2048 Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_leap Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-leap Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_tls Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-tls Fri Jul 24 12:25:18 2009 : Debug: tls { Fri Jul 24 12:25:18 2009 : Debug: rsa_key_exchange = no Fri Jul 24 12:25:18 2009 : Debug: dh_key_exchange = yes Fri Jul 24 12:25:18 2009 : Debug: rsa_key_length = 512 Fri Jul 24 12:25:18 2009 : Debug: dh_key_length = 512 Fri Jul 24 12:25:18 2009 : Debug: verify_depth = 0 Fri Jul 24 12:25:18 2009 : Debug: pem_file_type = yes Fri Jul 24 12:25:18 2009 : Debug: private_key_file = "/usr/local/etc/raddb/certs/ra01-roch1-tst-internal.pem" Fri Jul 24 12:25:18 2009 : Debug: certificate_file = "/usr/local/etc/raddb/certs/ra01-roch1-tst-internal.pem" Fri Jul 24 12:25:18 2009 : Debug: private_key_password = "xxxxxxxx" Fri Jul 24 12:25:18 2009 : Debug: dh_file = "/usr/local/etc/raddb/certs/dh" Fri Jul 24 12:25:18 2009 : Debug: random_file = "/usr/local/etc/raddb/certs/random" Fri Jul 24 12:25:18 2009 : Debug: fragment_size = 1024 Fri Jul 24 12:25:18 2009 : Debug: include_length = yes Fri Jul 24 12:25:18 2009 : Debug: check_crl = no Fri Jul 24 12:25:18 2009 : Debug: cipher_list = "DEFAULT" Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_peap Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-peap Fri Jul 24 12:25:18 2009 : Debug: peap { Fri Jul 24 12:25:18 2009 : Debug: default_eap_type = "mschapv2" Fri Jul 24 12:25:18 2009 : Debug: copy_request_to_tunnel = yes Fri Jul 24 12:25:18 2009 : Debug: use_tunneled_reply = no Fri Jul 24 12:25:18 2009 : Debug: proxy_tunneled_request_as_eap = yes Fri Jul 24 12:25:18 2009 : Debug: virtual_server = "inner-tunnel" Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_mschapv2 Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-mschapv2 Fri Jul 24 12:25:18 2009 : Debug: mschapv2 { Fri Jul 24 12:25:18 2009 : Debug: with_ntdomain_hack = no Fri Jul 24 12:25:18 2009 : Debug: } Fri Jul 24 12:25:18 2009 : Debug: Module: Checking post-proxy {...} for more modules to load Fri Jul 24 12:25:18 2009 : Debug: Module: Checking post-auth {...} for more modules to load Fri Jul 24 12:25:18 2009 : Debug: (Loaded rlm_attr_filter, checking if it's valid) Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to module rlm_attr_filter Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating attr_filter.access_reject Fri Jul 24 12:25:18 2009 : Debug: attr_filter attr_filter.access_reject { Fri Jul 24 12:25:18 2009 : Debug: attrsfile = "/usr/local/etc/raddb/attrs.access_reject" Fri Jul 24 12:25:18 2009 : Debug: key = "%{User-Name}" Fri Jul 24 12:25:18 2009 : Debug: } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html