You can control the format of the Called-Station-Id through the "dot11 aaa csid" command. You might try doing a "dot11 aaa csid ietf" and see if that works...
--Mike On Mon, 2004-09-13 at 17:47, Patrick Mowry (DHL US) wrote: > Thanks Michael, > > The AP (Cisco 1200, IOS 12.2(13)JA1) formats the Called-Station-ID as > "0007.50d5.aaaa". I'll forward the RFC information to the product > Manager to see if this can be added to the next release. There is > another feature being added to the IOS software for the APs to address > my issue, but it is not even in beta yet. > > Thanks again, > > -Patrick > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Michael Griego > Sent: Wednesday, September 08, 2004 11:16 AM > To: [EMAIL PROTECTED] > Subject: RE: Q: Allowing 1 EAP type per SSID with 1 AP and 1 Radius > Server. > > RFC3580 section 3.20: > > 3.20. Called-Station-Id > > > For IEEE 802.1X Authenticators, this attribute is used to store the > bridge or Access Point MAC address in ASCII format (upper case only), > with octet values separated by a "-". Example: "00-10-A4-23-19-C0". > In IEEE 802.11, where the SSID is known, it SHOULD be appended to the > Access Point MAC address, separated from the MAC address with a ":". > Example "00-10-A4-23-19-C0:AP1". > > If you AP is compliant with this RFC, look in the Called-Station-Id > attribute. > > --Mike > > > On Wed, 2004-09-08 at 12:52, Patrick Mowry (DHL US) wrote: > > "Patrick Mowry (DHL US)" <[EMAIL PROTECTED]> wrote: > > >> My understanding of Wireless 802.1x supports boils down to the AP > > > >> passing the EAP authentication to the backend radius server after > > >> the > > > > >> initial EAPOL, but the actual EAP type used is up to the > supplicant. > > > > > > Yes, but the server has to agree. > > > > > >> I would like to use EAP-TLS for an SSID for wireless LAN access, > > >> and LEAP (no other choice :( ) for wireless phones. But if the > > >> SSIDs are > > > > >> configured on all APs, All APs point to a single FreeRadius Backend > > > >> configured for TLS, LEAP and PEAP; how do I prevent a compromised > > LEAP > > >> account from being used to access the SSID supposedly secured by > > >> EAP-TLS? > > > > > > Is the SSID in the RADIUS packet? If not, you can't key off of > > > SSID > > to force EAP types. > > > > No, nothing in the access-request, including NAS-PORT, seem to > > correlate to a SSID. > > > > > > > >> Watching the logs with radiusd -X -A I do not see a field I can > > >> key > > > > >> off of to limit the EAP type allowed. > > > > > > In the "users" file, you can do: > > > > > > bob EAP-Type := Cisco-LEAP > > > > > > to force that user to use a specific EAP type. See > > > share/dictionary > > for > > > the known VALUE's of the EAP-Type attribute. > > > > > > Alan DeKok. > > > > But since the AP does not pass SSID info, nor interfere with the type > > of EAP Allowed per SSID, it seems I'm SOL. > > > > I'll more this to another group, but is anyone aware of an AP that > > does either of the above? I'll investigate further into Cisco 1200 > > and the Symbol WS5000 if Anyone is interested. > > > > Alan, Thanks again for your help, > > > > -Patrick > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
