Thanks Michael, The AP (Cisco 1200, IOS 12.2(13)JA1) formats the Called-Station-ID as "0007.50d5.aaaa". I'll forward the RFC information to the product Manager to see if this can be added to the next release. There is another feature being added to the IOS software for the APs to address my issue, but it is not even in beta yet.
Thanks again, -Patrick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Wednesday, September 08, 2004 11:16 AM To: [EMAIL PROTECTED] Subject: RE: Q: Allowing 1 EAP type per SSID with 1 AP and 1 Radius Server. RFC3580 section 3.20: 3.20. Called-Station-Id For IEEE 802.1X Authenticators, this attribute is used to store the bridge or Access Point MAC address in ASCII format (upper case only), with octet values separated by a "-". Example: "00-10-A4-23-19-C0". In IEEE 802.11, where the SSID is known, it SHOULD be appended to the Access Point MAC address, separated from the MAC address with a ":". Example "00-10-A4-23-19-C0:AP1". If you AP is compliant with this RFC, look in the Called-Station-Id attribute. --Mike On Wed, 2004-09-08 at 12:52, Patrick Mowry (DHL US) wrote: > "Patrick Mowry (DHL US)" <[EMAIL PROTECTED]> wrote: > >> My understanding of Wireless 802.1x supports boils down to the AP > >> passing the EAP authentication to the backend radius server after > >> the > > >> initial EAPOL, but the actual EAP type used is up to the supplicant. > > > > Yes, but the server has to agree. > > > >> I would like to use EAP-TLS for an SSID for wireless LAN access, > >> and LEAP (no other choice :( ) for wireless phones. But if the > >> SSIDs are > > >> configured on all APs, All APs point to a single FreeRadius Backend > >> configured for TLS, LEAP and PEAP; how do I prevent a compromised > LEAP > >> account from being used to access the SSID supposedly secured by > >> EAP-TLS? > > > > Is the SSID in the RADIUS packet? If not, you can't key off of > > SSID > to force EAP types. > > No, nothing in the access-request, including NAS-PORT, seem to > correlate to a SSID. > > > > >> Watching the logs with radiusd -X -A I do not see a field I can > >> key > > >> off of to limit the EAP type allowed. > > > > In the "users" file, you can do: > > > > bob EAP-Type := Cisco-LEAP > > > > to force that user to use a specific EAP type. See > > share/dictionary > for > > the known VALUE's of the EAP-Type attribute. > > > > Alan DeKok. > > But since the AP does not pass SSID info, nor interfere with the type > of EAP Allowed per SSID, it seems I'm SOL. > > I'll more this to another group, but is anyone aware of an AP that > does either of the above? I'll investigate further into Cisco 1200 > and the Symbol WS5000 if Anyone is interested. > > Alan, Thanks again for your help, > > -Patrick > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- --Mike ----------------------------------- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
