"Patrick Mowry (DHL US)" <[EMAIL PROTECTED]> wrote: >> My understanding of Wireless 802.1x supports boils down to the AP >> passing the EAP authentication to the backend radius server after the
>> initial EAPOL, but the actual EAP type used is up to the supplicant. > > Yes, but the server has to agree. > >> I would like to use EAP-TLS for an SSID for wireless LAN access, and >> LEAP (no other choice :( ) for wireless phones. But if the SSIDs are >> configured on all APs, All APs point to a single FreeRadius Backend >> configured for TLS, LEAP and PEAP; how do I prevent a compromised LEAP >> account from being used to access the SSID supposedly secured by >> EAP-TLS? > > Is the SSID in the RADIUS packet? If not, you can't key off of SSID to force EAP types. No, nothing in the access-request, including NAS-PORT, seem to correlate to a SSID. > >> Watching the logs with radiusd -X -A I do not see a field I can key >> off of to limit the EAP type allowed. > > In the "users" file, you can do: > > bob EAP-Type := Cisco-LEAP > > to force that user to use a specific EAP type. See share/dictionary for > the known VALUE's of the EAP-Type attribute. > > Alan DeKok. But since the AP does not pass SSID info, nor interfere with the type of EAP Allowed per SSID, it seems I'm SOL. I'll more this to another group, but is anyone aware of an AP that does either of the above? I'll investigate further into Cisco 1200 and the Symbol WS5000 if Anyone is interested. Alan, Thanks again for your help, -Patrick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
