On 01/31/2014 02:23 PM, Hartmaier Alexander wrote: > I'm trying to get a wired and wireless 802.1x config working where in > one building shared Cisco IOS switches and Cisco WLAN controllers are > used for multiple companies, each with its own CA. > My handler config is below and as you can see the EAPTLS settings share > the same radius server certificate but only differ in the CA cert used > to validate the clients cert.
If the clients have different certs from different CAs, you should be able to use EAPTLS_CAPath instead of EAPTLS_CAFile. Note that the certificate file names have special requirements. See https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html and look for the c_rehash utility. > The level 4 trace showed that the first AuthBy responds with a challenge > which didn't match the ContinueUntilAccept AuthByPolicy so the second > AuthBy was triggered which failed as well. > > I've changed the AuthByPolicy to ContinueUntilAcceptOrChallenge but now > always the first AuthBy is checked until the client gives up authenticating. I'd say CAPath is better idea than trying to match client CAs with individual AuthBys unless there is a way to differentiate between clients. Is there anything in the requests client generate that could help with choosing the correct Handler? > Another possibility would be a single AuthBy with all CA certs but how > would I differentiate which one matched to send different > Tunnel-Private-Group-ID values back? You might be able to use EAPTLS_CertificateVerifyHook to check which CA matched. However, I have not checked in detail if this is possible. I would first see if the requests have any information that could help with Handler selection. Thanks, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
