[RADIATOR] multiple EAP-TLS AuthBys
Heikki Vatiainen
hvn at open.com.au
Mon Feb 3 10:10:41 CST 2014
On 01/31/2014 02:23 PM, Hartmaier Alexander wrote:
> I'm trying to get a wired and wireless 802.1x config working where in
> one building shared Cisco IOS switches and Cisco WLAN controllers are
> used for multiple companies, each with its own CA.
> My handler config is below and as you can see the EAPTLS settings share
> the same radius server certificate but only differ in the CA cert used
> to validate the clients cert.
If the clients have different certs from different CAs, you should be
able to use EAPTLS_CAPath instead of EAPTLS_CAFile.
Note that the certificate file names have special requirements. See
https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html
and look for the c_rehash utility.
> The level 4 trace showed that the first AuthBy responds with a challenge
> which didn't match the ContinueUntilAccept AuthByPolicy so the second
> AuthBy was triggered which failed as well.
>
> I've changed the AuthByPolicy to ContinueUntilAcceptOrChallenge but now
> always the first AuthBy is checked until the client gives up authenticating.
I'd say CAPath is better idea than trying to match client CAs with
individual AuthBys unless there is a way to differentiate between clients.
Is there anything in the requests client generate that could help with
choosing the correct Handler?
> Another possibility would be a single AuthBy with all CA certs but how
> would I differentiate which one matched to send different
> Tunnel-Private-Group-ID values back?
You might be able to use EAPTLS_CertificateVerifyHook to check which CA
matched. However, I have not checked in detail if this is possible. I
would first see if the requests have any information that could help
with Handler selection.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list