RE: Q: Allowing 1 EAP type per SSID with 1 AP and 1 Radius Server.

Wed, 08 Sep 2004 11:17:29 -0700 

RFC3580 section 3.20:

3.20.  Called-Station-Id
                                                                                       
                                                                                       
     
   For IEEE 802.1X Authenticators, this attribute is used to store the
   bridge or Access Point MAC address in ASCII format (upper case only),
   with octet values separated by a "-".  Example: "00-10-A4-23-19-C0".
   In IEEE 802.11, where the SSID is known, it SHOULD be appended to the
   Access Point MAC address, separated from the MAC address with a ":".
   Example "00-10-A4-23-19-C0:AP1".

If you AP is compliant with this RFC, look in the Called-Station-Id
attribute.

--Mike


On Wed, 2004-09-08 at 12:52, Patrick Mowry (DHL US) wrote:
> "Patrick Mowry (DHL US)" <[EMAIL PROTECTED]> wrote:
> >>   My understanding of Wireless 802.1x supports boils down to the AP 
> >> passing the EAP authentication to the backend radius server after the
> 
> >> initial EAPOL, but the actual EAP type used is up to the supplicant.
> >
> >  Yes, but the server has to agree.
> >
> >> I would like to use EAP-TLS for an SSID for wireless LAN access, and 
> >> LEAP (no other choice :( ) for wireless phones.  But if the SSIDs are
> 
> >> configured on all APs, All APs point to a single FreeRadius Backend 
> >> configured for TLS, LEAP and PEAP; how do I prevent a compromised
> LEAP 
> >> account from being used to access the SSID supposedly secured by 
> >> EAP-TLS?
> >
> >  Is the SSID in the RADIUS packet?  If not, you can't key off of SSID
> to force EAP types.
> 
> No, nothing in the access-request, including NAS-PORT, seem to correlate
> to a SSID. 
> 
> >
> >>   Watching the logs with radiusd -X -A I do not see a field I can key
> 
> >> off of to limit the EAP type allowed.
> >
> >  In the "users" file, you can do:
> >
> > bob  EAP-Type := Cisco-LEAP
> >
> >  to force that user to use a specific EAP type.  See share/dictionary
> for 
> >  the known VALUE's of the EAP-Type attribute.
> >
> >  Alan DeKok.
> 
> But since the AP does not pass SSID info, nor interfere with the type of
> EAP
> Allowed per SSID,  it seems I'm SOL.
> 
> I'll more this to another group, but is anyone aware of an AP that does
> either of
> the above?  I'll investigate further into Cisco 1200 and the Symbol
> WS5000 if
> Anyone is interested.
> 
> Alan,  Thanks again for your help,
> 
> -Patrick
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 

--Mike

-----------------------------------
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to