patrick,
if i understand your problem correctly, you want to have a different EAP type per SSID using the cisco APs of the 12 series.
there are basically two major possibilities to do so, independently of what has been said before:
1. in AP 12 you can assign an authentication server per SSID. from here on, you could have two different servers, one for LEAP and the other for EAP/TLS.
2. cisco APs do provide SSID information in the incoming requests. this is put in a cisco VSA. if you put your server into debug mode and look at the incoming requests, you'll see the SSID appearing as something like
Cisco-VSA = "ssid=my_ssid"
you can process this line in freeradius and treat it differently depending on the SSID, as has been explained by Alan.
now for the MAC-address format:
look at the config of the AP 12. you can change the MAC address format, AP 1200 supports cisco-format, IETF format (see your email) and an unformatted char string. the IETF format however does not contain the SSID.
and finally, if you have a direct wire to a Cisco Product Manager, please kick his ass from my part convincing him of the need to finally correct the accounting behavior of the newest AP12 IOS release. in my case, accounting does not contain AcctInputOctets nor AcctOutputOctets.
ciao artur
Patrick Mowry (DHL US) wrote:
Thanks Michael,
The AP (Cisco 1200, IOS 12.2(13)JA1) formats the Called-Station-ID as "0007.50d5.aaaa". I'll forward the RFC information to the product Manager to see if this can be added to the next release. There is another feature being added to the IOS software for the APs to address my issue, but it is not even in beta yet.
Thanks again,
-Patrick
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Wednesday, September 08, 2004 11:16 AM To: [EMAIL PROTECTED] Subject: RE: Q: Allowing 1 EAP type per SSID with 1 AP and 1 Radius Server.
RFC3580 section 3.20:
3.20. Called-Station-Id
For IEEE 802.1X Authenticators, this attribute is used to store the bridge or Access Point MAC address in ASCII format (upper case only), with octet values separated by a "-". Example: "00-10-A4-23-19-C0". In IEEE 802.11, where the SSID is known, it SHOULD be appended to the Access Point MAC address, separated from the MAC address with a ":". Example "00-10-A4-23-19-C0:AP1".
If you AP is compliant with this RFC, look in the Called-Station-Id attribute.
--Mike
On Wed, 2004-09-08 at 12:52, Patrick Mowry (DHL US) wrote:
"Patrick Mowry (DHL US)" <[EMAIL PROTECTED]> wrote:
My understanding of Wireless 802.1x supports boils down to the AP
passing the EAP authentication to the backend radius server after the
initial EAPOL, but the actual EAP type used is up to the
supplicant.
Yes, but the server has to agree.
I would like to use EAP-TLS for an SSID for wireless LAN access, and LEAP (no other choice :( ) for wireless phones. But if the SSIDs are
configured on all APs, All APs point to a single FreeRadius Backend
configured for TLS, LEAP and PEAP; how do I prevent a compromised
LEAP
account from being used to access the SSID supposedly secured by EAP-TLS?
Is the SSID in the RADIUS packet? If not, you can't key off of SSID
to force EAP types.
No, nothing in the access-request, including NAS-PORT, seem to correlate to a SSID.
Watching the logs with radiusd -X -A I do not see a field I can key
off of to limit the EAP type allowed.
In the "users" file, you can do:
bob EAP-Type := Cisco-LEAP
to force that user to use a specific EAP type. See share/dictionary
for
the known VALUE's of the EAP-Type attribute.
Alan DeKok.
But since the AP does not pass SSID info, nor interfere with the type of EAP Allowed per SSID, it seems I'm SOL.
I'll more this to another group, but is anyone aware of an AP that does either of the above? I'll investigate further into Cisco 1200 and the Symbol WS5000 if Anyone is interested.
Alan, Thanks again for your help,
-Patrick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
