Re: different eap/tls config for different interfaces
That's why I added the extra bit to make sure an EAP-Message attribute existed in the packet (EAP-Message =* ""). That way, it won't force an Auth-Type in an instance where EAP attributes don't exist. The inner authentication of an EAP-TTLS/PAP exchange would be one example of this. --Mike [EMAIL PROTECTED] wrote: Makes sense. I'm doing EAP-TTLS with LDAP. I probably wouldn't need to define 2 diff ldap instances, since they'd both point to the same ldap server. However, I wonder if the ":=" operator would cause freeradius to ignore any other auth methods (such as ldap)? Doesn't that act as an "override" of sorts, or am I way off? thanks! - Original Message - From: Michael Griego <[EMAIL PROTECTED]> Date: Monday, August 8, 2005 5:53 pm Subject: Re: different eap/tls config for different interfaces By its Client-IP-Address attribute or NAS-IP-Address attribute. Also, you can use the Packet-Dst-IP-Address attribute if you're certain that the clients are split up by interface. You can match up based on incoming interface like you were thinking about doing with two different servers. So, if your server is listening on 10.0.0.1 and 10.0.1.1, and your EAP modules are named EAPauth1 and EAPauth2, you could do: DEFAULT Packet-Dst-IP-Address == 10.0.0.1, EAP-Message =* "", Auth- Type := EAPauth1 DEFAULT Packet-Dst-IP-Address == 10.0.1.1, EAP-Message =* "", Auth- Type := EAPauth2 This functionality may only be CVS snapshots, though. I'm not sure as I haven't looked to see if it exists in the production releases. --Mike [EMAIL PROTECTED] wrote: Mike, Sounds good, thanks for the info. Just curious: In the dual eap- tls configuration that you mentioned in the second paragraph, how would the radius server know which one to use for a given client? thanks! - Original Message ----- From: Michael Griego <[EMAIL PROTECTED]> Date: Friday, August 5, 2005 11:34 pm Subject: Re: different eap/tls config for different interfaces After I'm done with the rlm_eap_tls rewrites and rlm_eap updates, there will be functionality to have multiple EAP submodules of the same type with different configurations. With this, you'll be able to force the use of a specific EAP type instance by its instance name. In the meantime, if you want to avoid bringing up two servers, you *can* configure two EAP module instances, each with a different tls submodule configuration. Force the Auth-Type to the EAP module with the correct tls configuration based on your criteria. I've used this scenario in the past. --Mike [EMAIL PROTECTED] wrote: Oh...duh...that makes sense. Should have considered that. I have since tested the behavior of the scenario I described, and Alan's on target. Doesn't really seem to matter which interface I enter on, or which common-name I use. Seems to work either way. thanks for the help! - Original Message - From: Kris Benson <[EMAIL PROTECTED]> Date: Friday, August 5, 2005 5:28 pm Subject: Re: different eap/tls config for different interfaces [EMAIL PROTECTED] wrote: If so, is it possible to have 2 different tls sections that service>>>>the 2 different interfaces? No. FreeRADIUS supports only 1 TLS module at a time. What Alan forgot to mention is a solution. If you run two copies of the Radius server, with one bound to either a different set of ports, or one to each IP, you could have separate configs. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different eap/tls config for different interfaces
I was gonna do that as part of my updates, but if you want to do this, be my guest. :) --Mike Alan DeKok wrote: Michael Griego <[EMAIL PROTECTED]> wrote: Also, you can use the Packet-Dst-IP-Address attribute if you're certain that the clients are split up by interface. You can match up based on incoming interface like you were thinking about doing with two different servers. So, if your server is listening on 10.0.0.1 and 10.0.1.1, and your EAP modules are named EAPauth1 and EAPauth2, you could do: Hmm... I should update the EAP code so it sets Auth-Type to not EAP, but to it's instance name, if that exists. That will help this kind of configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different eap/tls config for different interfaces
Makes sense. I'm doing EAP-TTLS with LDAP. I probably wouldn't need to define 2 diff ldap instances, since they'd both point to the same ldap server. However, I wonder if the ":=" operator would cause freeradius to ignore any other auth methods (such as ldap)? Doesn't that act as an "override" of sorts, or am I way off? thanks! - Original Message - From: Michael Griego <[EMAIL PROTECTED]> Date: Monday, August 8, 2005 5:53 pm Subject: Re: different eap/tls config for different interfaces > By its Client-IP-Address attribute or NAS-IP-Address attribute. > > Also, you can use the Packet-Dst-IP-Address attribute if you're > certain > that the clients are split up by interface. You can match up > based on > incoming interface like you were thinking about doing with two > different > servers. So, if your server is listening on 10.0.0.1 and > 10.0.1.1, and > your EAP modules are named EAPauth1 and EAPauth2, you could do: > > DEFAULT Packet-Dst-IP-Address == 10.0.0.1, EAP-Message =* "", Auth- > Type > := EAPauth1 > > DEFAULT Packet-Dst-IP-Address == 10.0.1.1, EAP-Message =* "", Auth- > Type > := EAPauth2 > > This functionality may only be CVS snapshots, though. I'm not > sure as I > haven't looked to see if it exists in the production releases. > > --Mike > > [EMAIL PROTECTED] wrote: > > >Mike, > > > >Sounds good, thanks for the info. Just curious: In the dual eap- > tls > >configuration that you mentioned in the second paragraph, how > would > >the radius server know which one to use for a given client? > > > >thanks! > > > >- Original Message - > >From: Michael Griego <[EMAIL PROTECTED]> > >Date: Friday, August 5, 2005 11:34 pm > >Subject: Re: different eap/tls config for different interfaces > > > > > > > >>After I'm done with the rlm_eap_tls rewrites and rlm_eap > updates, > >>there > >>will be functionality to have multiple EAP submodules of the > same > >>type > >>with different configurations. With this, you'll be able to > force > >>the > >>use of a specific EAP type instance by its instance name. > >> > >>In the meantime, if you want to avoid bringing up two servers, > you > >>*can* > >>configure two EAP module instances, each with a different tls > >>submodule > >>configuration. Force the Auth-Type to the EAP module with the > >>correct > >>tls configuration based on your criteria. I've used this > scenario > >>in > >>the past. > >> > >>--Mike > >> > >> > >>[EMAIL PROTECTED] wrote: > >> > >> > >> > >>>Oh...duh...that makes sense. Should have considered that. I > >>> > >>> > >>have since > >> > >> > >>>tested the behavior of the scenario I described, and Alan's on > >>> > >>> > >>target. > >> > >> > >>>Doesn't really seem to matter which interface I enter on, or which > >>>common-name I use. Seems to work either way. > >>> > >>>thanks for the help! > >>> > >>>- Original Message - > >>>From: Kris Benson <[EMAIL PROTECTED]> > >>>Date: Friday, August 5, 2005 5:28 pm > >>>Subject: Re: different eap/tls config for different interfaces > >>> > >>> > >>> > >>> > >>> > >>>>>[EMAIL PROTECTED] wrote: > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>>If so, is it possible to have 2 different tls sections that > >>>>>> > >>>>>> > >>service>>>>the 2 different interfaces? > >> > >> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>No. FreeRADIUS supports only 1 TLS module at a time. > >>>>> > >>>>> > >>>>> > >>>>> > >>>>What Alan forgot to mention is a solution. > >>>> > >>>>If you run two copies of the Radius server, with one bound to > >>>>either a > >>>>different set of ports, or one to each IP, you could have > >>>> > >>>> > >>separate > >> > >> > >>>>configs. > >>>>-kb > >>>>-- > >>>>Kris Benson, CCP, I.S.P. > >>>>Technical Analyst, District Projects > >>>>School District #57 (Prince George) > >>>> > >>>>- > >>>>List info/subscribe/unsubscribe? See > >>>>http://www.freeradius.org/list/users.html > >>>> > >>>> > >>>> > >>>> > >>>- > >>>List info/subscribe/unsubscribe? See > >>> > >>> > >>http://www.freeradius.org/list/users.html> > >> > >> > >>- > >>List info/subscribe/unsubscribe? See > >>http://www.freeradius.org/list/users.html > >> > >> > >- > >List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html> > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different eap/tls config for different interfaces
Michael Griego <[EMAIL PROTECTED]> wrote: > Also, you can use the Packet-Dst-IP-Address attribute if you're certain > that the clients are split up by interface. You can match up based on > incoming interface like you were thinking about doing with two different > servers. So, if your server is listening on 10.0.0.1 and 10.0.1.1, and > your EAP modules are named EAPauth1 and EAPauth2, you could do: Hmm... I should update the EAP code so it sets Auth-Type to not EAP, but to it's instance name, if that exists. That will help this kind of configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different eap/tls config for different interfaces
By its Client-IP-Address attribute or NAS-IP-Address attribute. Also, you can use the Packet-Dst-IP-Address attribute if you're certain that the clients are split up by interface. You can match up based on incoming interface like you were thinking about doing with two different servers. So, if your server is listening on 10.0.0.1 and 10.0.1.1, and your EAP modules are named EAPauth1 and EAPauth2, you could do: DEFAULT Packet-Dst-IP-Address == 10.0.0.1, EAP-Message =* "", Auth-Type := EAPauth1 DEFAULT Packet-Dst-IP-Address == 10.0.1.1, EAP-Message =* "", Auth-Type := EAPauth2 This functionality may only be CVS snapshots, though. I'm not sure as I haven't looked to see if it exists in the production releases. --Mike [EMAIL PROTECTED] wrote: Mike, Sounds good, thanks for the info. Just curious: In the dual eap-tls configuration that you mentioned in the second paragraph, how would the radius server know which one to use for a given client? thanks! - Original Message - From: Michael Griego <[EMAIL PROTECTED]> Date: Friday, August 5, 2005 11:34 pm Subject: Re: different eap/tls config for different interfaces After I'm done with the rlm_eap_tls rewrites and rlm_eap updates, there will be functionality to have multiple EAP submodules of the same type with different configurations. With this, you'll be able to force the use of a specific EAP type instance by its instance name. In the meantime, if you want to avoid bringing up two servers, you *can* configure two EAP module instances, each with a different tls submodule configuration. Force the Auth-Type to the EAP module with the correct tls configuration based on your criteria. I've used this scenario in the past. --Mike [EMAIL PROTECTED] wrote: Oh...duh...that makes sense. Should have considered that. I have since tested the behavior of the scenario I described, and Alan's on target. Doesn't really seem to matter which interface I enter on, or which common-name I use. Seems to work either way. thanks for the help! - Original Message - From: Kris Benson <[EMAIL PROTECTED]> Date: Friday, August 5, 2005 5:28 pm Subject: Re: different eap/tls config for different interfaces [EMAIL PROTECTED] wrote: If so, is it possible to have 2 different tls sections that service>>>>the 2 different interfaces? No. FreeRADIUS supports only 1 TLS module at a time. What Alan forgot to mention is a solution. If you run two copies of the Radius server, with one bound to either a different set of ports, or one to each IP, you could have separate configs. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different eap/tls config for different interfaces
Mike, Sounds good, thanks for the info. Just curious: In the dual eap-tls configuration that you mentioned in the second paragraph, how would the radius server know which one to use for a given client? thanks! - Original Message - From: Michael Griego <[EMAIL PROTECTED]> Date: Friday, August 5, 2005 11:34 pm Subject: Re: different eap/tls config for different interfaces > After I'm done with the rlm_eap_tls rewrites and rlm_eap updates, > there > will be functionality to have multiple EAP submodules of the same > type > with different configurations. With this, you'll be able to force > the > use of a specific EAP type instance by its instance name. > > In the meantime, if you want to avoid bringing up two servers, you > *can* > configure two EAP module instances, each with a different tls > submodule > configuration. Force the Auth-Type to the EAP module with the > correct > tls configuration based on your criteria. I've used this scenario > in > the past. > > --Mike > > > [EMAIL PROTECTED] wrote: > > >Oh...duh...that makes sense. Should have considered that. I > have since > >tested the behavior of the scenario I described, and Alan's on > target. > >Doesn't really seem to matter which interface I enter on, or which > >common-name I use. Seems to work either way. > > > >thanks for the help! > > > >- Original Message - > >From: Kris Benson <[EMAIL PROTECTED]> > >Date: Friday, August 5, 2005 5:28 pm > >Subject: Re: different eap/tls config for different interfaces > > > > > > > >>>[EMAIL PROTECTED] wrote: > >>> > >>> > >>>>If so, is it possible to have 2 different tls sections that > service>>>>the 2 different interfaces? > >>>> > >>>> > >>> No. FreeRADIUS supports only 1 TLS module at a time. > >>> > >>> > >>What Alan forgot to mention is a solution. > >> > >>If you run two copies of the Radius server, with one bound to > >>either a > >>different set of ports, or one to each IP, you could have > separate > >>configs. > >>-kb > >>-- > >>Kris Benson, CCP, I.S.P. > >>Technical Analyst, District Projects > >>School District #57 (Prince George) > >> > >>- > >>List info/subscribe/unsubscribe? See > >>http://www.freeradius.org/list/users.html > >> > >> > >- > >List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html> > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different eap/tls config for different interfaces
After I'm done with the rlm_eap_tls rewrites and rlm_eap updates, there will be functionality to have multiple EAP submodules of the same type with different configurations. With this, you'll be able to force the use of a specific EAP type instance by its instance name. In the meantime, if you want to avoid bringing up two servers, you *can* configure two EAP module instances, each with a different tls submodule configuration. Force the Auth-Type to the EAP module with the correct tls configuration based on your criteria. I've used this scenario in the past. --Mike [EMAIL PROTECTED] wrote: Oh...duh...that makes sense. Should have considered that. I have since tested the behavior of the scenario I described, and Alan's on target. Doesn't really seem to matter which interface I enter on, or which common-name I use. Seems to work either way. thanks for the help! - Original Message - From: Kris Benson <[EMAIL PROTECTED]> Date: Friday, August 5, 2005 5:28 pm Subject: Re: different eap/tls config for different interfaces [EMAIL PROTECTED] wrote: If so, is it possible to have 2 different tls sections that service the 2 different interfaces? No. FreeRADIUS supports only 1 TLS module at a time. What Alan forgot to mention is a solution. If you run two copies of the Radius server, with one bound to either a different set of ports, or one to each IP, you could have separate configs. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different eap/tls config for different interfaces
Oh...duh...that makes sense. Should have considered that. I have since tested the behavior of the scenario I described, and Alan's on target. Doesn't really seem to matter which interface I enter on, or which common-name I use. Seems to work either way. thanks for the help! - Original Message - From: Kris Benson <[EMAIL PROTECTED]> Date: Friday, August 5, 2005 5:28 pm Subject: Re: different eap/tls config for different interfaces > >[EMAIL PROTECTED] wrote: > >> If so, is it possible to have 2 different tls sections that service > >> the 2 different interfaces? > > > > No. FreeRADIUS supports only 1 TLS module at a time. > > What Alan forgot to mention is a solution. > > If you run two copies of the Radius server, with one bound to > either a > different set of ports, or one to each IP, you could have separate > configs. > -kb > -- > Kris Benson, CCP, I.S.P. > Technical Analyst, District Projects > School District #57 (Prince George) > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different eap/tls config for different interfaces
>[EMAIL PROTECTED] wrote: >> If so, is it possible to have 2 different tls sections that service >> the 2 different interfaces? > > No. FreeRADIUS supports only 1 TLS module at a time. What Alan forgot to mention is a solution. If you run two copies of the Radius server, with one bound to either a different set of ports, or one to each IP, you could have separate configs. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different eap/tls config for different interfaces
[EMAIL PROTECTED] wrote: > I generated freeradius' tls certificate with a common name matching > the ip of eth0 (192.168.5.5). Will this cause problems when a client > tries to connect to freeradius via eth1 (192.168.6.6)? No, because the wireless clients interact with the server via IP, so they don't know it's IP address. > If so, is it possible to have 2 different tls sections that service > the 2 different interfaces? No. FreeRADIUS supports only 1 TLS module at a time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
