I currently have a FreeRADIUS setup using EAP-TTLS.
I'd like to set it up such that requests coming from localhost use PAP, but that other requests still use EAP-TTLS.
How do I select authentication method used on a per-client basis?
Asked
Active
Viewed 256 times
0
-
There's no EAP-PAP. Do you just mean PAP? – Arran Cudbard-Bell Sep 17 '19 at 21:18
-
Oops. Got carried away typing EAP. Yeah. I do. – Tim Morris Sep 18 '19 at 00:20
1 Answers
0
You can use the %{client:} expansion to query attributes of the client where the request originated.
authorize {
if ("%{client:shortname}" == 'localhost') {
pap
} else {
eap
}
}
Adding the above snippet would result in the pap module being called if the client was configured with a shortname of 'localhost', otherwise the eap module would be called.
You can actually place arbitrary attributes in a client section and reference them with the client expansion i.e.
client my_client {
ipaddr = 127.0.0.1
foo = 'bar'
}
"%{client:foo}" # Which would expand to "bar"
Arran Cudbard-Bell
- 1,514
- 1
- 9
- 18