EAP and non-EAP on same port?

2013-07-03 Thread Bruce Bauman 
Right now we have freeradius configured so that EAP and non-EAP are handled by 
separate virtual servers which are listening on separate virtual ports. 
We'd like to simplify our configuration and use the same port for both. I've 
looked through the documentation without much success.

Does anyone have an example configuration of this?

Thanks.

-- Bruce

Bruce Bauman - Systems Administrator
Rutgers University Office of Information Technology
Campus Computing Services - Central Systems and Services
Office ~ (848) 445-6363



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP and non-EAP on same port?

2013-07-03 Thread Alan DeKok 
Bruce Bauman wrote:
 Right now we have freeradius configured so that EAP and non-EAP are
 handled by separate virtual servers which are listening on separate
 virtual ports. 

  Why?

 We'd like to simplify our configuration and use the same port for both.
 I've looked through the documentation without much success.

  There's no magic here.  There's no documentation on how do I do
EAP?.  Because none is needed.  EAP is just another module you list (or
not) in a virtual server.

  So... list eap in the virtual serverm as is done in the example
files raddb/sites-available/default, and also
raddb/sites-available/inner-tunnel.

 Does anyone have an example configuration of this?

  The default configuration does EAP and non-EAP on the same port.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP and non-EAP on same port?

2013-07-03 Thread Phil Mayers 

On 03/07/13 15:29, Bruce Bauman wrote:

Right now we have freeradius configured so that EAP and non-EAP are
handled by separate virtual servers which are listening on separate
virtual ports.
We'd like to simplify our configuration and use the same port for both.
I've looked through the documentation without much success.

Does anyone have an example configuration of this?


The default config handles both eap and non-EAP just fine. You just list 
the eap and other auth modules (mschap, pap, chap) in authorize 
and authenticate, and pull the password info from LDAP/SQL/files as per 
usual.


However, it's likely you mean something more than the simple config 
you've specified. Can you be more specific about what is unclear to you?


If you want to do some logic conditional on whether the request is EAP 
or not, you can do this;


authorize {
  ...
  if (EAP-Message) {
# we're an EAP request
sql
eap
blahblah
  }
  else {
# we're non-eap
files
ldap
mschap
chap
pap
  }
  ...

}

And of course, the inner EAP auth can be sent to a virtual server - see 
the sample eap.conf that comes with the server.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP and non-EAP on same port?

2013-07-03 Thread A . L . M . Buxey 
Hi,

We'd like to simplify our configuration and use the same port for both.

the default configuration does that

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html