Hi Heikki, On 2014-02-03 17:10, Heikki Vatiainen wrote: > On 01/31/2014 02:23 PM, Hartmaier Alexander wrote: > >> I'm trying to get a wired and wireless 802.1x config working where in >> one building shared Cisco IOS switches and Cisco WLAN controllers are >> used for multiple companies, each with its own CA. >> My handler config is below and as you can see the EAPTLS settings share >> the same radius server certificate but only differ in the CA cert used >> to validate the clients cert. > If the clients have different certs from different CAs, you should be > able to use EAPTLS_CAPath instead of EAPTLS_CAFile. > > Note that the certificate file names have special requirements. See > https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html > > and look for the c_rehash utility. I'm already using that for one of the AuthBy's because the certs come from an old and a new CA. > >> The level 4 trace showed that the first AuthBy responds with a challenge >> which didn't match the ContinueUntilAccept AuthByPolicy so the second >> AuthBy was triggered which failed as well. >> >> I've changed the AuthByPolicy to ContinueUntilAcceptOrChallenge but now >> always the first AuthBy is checked until the client gives up authenticating. > I'd say CAPath is better idea than trying to match client CAs with > individual AuthBys unless there is a way to differentiate between clients. > > Is there anything in the requests client generate that could help with > choosing the correct Handler? Sadly not because the requirement is to have a single SSID for all companies, the same goes for wired 802.1x where the same switch port should be put into a specific VLAN per company. > >> Another possibility would be a single AuthBy with all CA certs but how >> would I differentiate which one matched to send different >> Tunnel-Private-Group-ID values back? > You might be able to use EAPTLS_CertificateVerifyHook to check which CA > matched. However, I have not checked in detail if this is possible. I > would first see if the requests have any information that could help > with Handler selection. I already wrote a handler but the weird things are: - $matchedcn is undefined. Is this because I'm doing AuthBy FILE with AcceptIfMissing or because of EAPTLS_NoCheckId? - I don't have access to the reply packed in the hook which makes assigning a different value to the Tunnel-Private-Group-ID attribute more complicated than necessary.
> > Thanks, > Heikki > Cheers, Alex *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
