[RADIATOR] multiple EAP-TLS AuthBys
Hartmaier Alexander
alexander.hartmaier at t-systems.at
Fri Jan 31 06:23:43 CST 2014
Hi guys,
I'm trying to get a wired and wireless 802.1x config working where in
one building shared Cisco IOS switches and Cisco WLAN controllers are
used for multiple companies, each with its own CA.
My handler config is below and as you can see the EAPTLS settings share
the same radius server certificate but only differ in the CA cert used
to validate the clients cert.
The level 4 trace showed that the first AuthBy responds with a challenge
which didn't match the ContinueUntilAccept AuthByPolicy so the second
AuthBy was triggered which failed as well.
I've changed the AuthByPolicy to ContinueUntilAcceptOrChallenge but now
always the first AuthBy is checked until the client gives up authenticating.
I haven't found an example in the goodies that matches our setup.
Another possibility would be a single AuthBy with all CA certs but how
would I differentiate which one matched to send different
Tunnel-Private-Group-ID values back?
Best regards, Alex
<Handler Client-Identifier="wlancontroller",
Called-Station-Id=/:dot1xtest$/, EAP-Message=/.+/>
# first try
AuthByPolicy ContinueUntilAccept
# second try
AuthByPolicy ContinueUntilAcceptOrChallenge
<AuthBy FILE>
Identifier wlan-dot1xtest-company1
Filename %D/users.dot1x
AcceptIfMissing
EAPTLS_NoCheckId
EAPType TLS
EAPTLS_MaxFragmentSize 1350
EAPTLS_CAFile %D/certificates/company1/CA.pem
EAPTLS_CertificateFile
%D/certificates/shared/dot1xradius.company.tld.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile
%D/certificates/shared/dot1xradius.company.tld.key
EAPTLS_PrivateKeyPassword foobar
EAPTLS_CRLCheck
EAPTLS_CRLFile %D/certificates/company1/CA.crl.pem
AutoMPPEKeys
AddToReply Tunnel-Type=VLAN
AddToReply Tunnel-Medium-Type=802
AddToReply Tunnel-Private-Group-ID=100
</AuthBy>
<AuthBy FILE>
Identifier wlan-dot1xtest-company2
Filename %D/users.dot1x
AcceptIfMissing
EAPTLS_NoCheckId
EAPType TLS
EAPTLS_MaxFragmentSize 1350
EAPTLS_CAFile %D/certificates/company2/CA.pem
EAPTLS_CertificateFile
%D/certificates/shared/dot1xradius.company.tld.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile
%D/certificates/shared/dot1xradius.company.tld.key
EAPTLS_PrivateKeyPassword foobar
EAPTLS_CRLCheck
EAPTLS_CRLFile %D/certificates/company2/CA.crl.pem
AutoMPPEKeys
AddToReply Tunnel-Type=VLAN
AddToReply Tunnel-Medium-Type=802
AddToReply Tunnel-Private-Group-ID=200
</AuthBy>
<AuthLog FILE>
Filename %L/wlan-dot1xtest.authlog
LogSuccess 1
LogFailure 1
SuccessFormat %Y-%m-%d
%H:%M:%S:%U:%{Called-Station-Id}:%{Calling-Station-Id}:%{Reply:Tunnel-Private-Group-ID}::OK
FailureFormat %Y-%m-%d
%H:%M:%S:%U:%{Called-Station-Id}:%{Calling-Station-Id}:%{Reply:Tunnel-Private-Group-ID}:%1:FAIL
</AuthLog>
</Handler>
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
More information about the radiator
mailing list