Migration -> FR3 + CiscoAPs + Multiple SSID+ EAP-TLS +Multiple Certs

Adam Bishop

2018-11-30 19:40:46 UTC

That said, how does the pseudo code get translated into unlang? I think I understand a partial of %{request:Cisco-AVPair[0]} would provide the SSID (based upon looking at the freeradius -X trace where it scrolls by first) but I am unsure about testing for the [certificate name?]. (I got the above from 'man unlang'; hopefully an appropriate reference.) I expect "real" data is now necessary to continue forward?

For client certs, the EAP module extracts the certificate into into attributes you can test. There's some examples in the check-eap-tls virtual server:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-available/check-eap-tls

If you're talking about the CN of server cert, take a look at the check_cert_issuer option:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/eap#L300

Simplest way to get the SSID and client MAC is to look at the called/calling station id - the SSID is appended to the NAS' MAC in the Called-Station-ID, and the client MAC address should be in the Calling-Station-Id.

Adam Bishop

gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list