Hi,
As of 8.5.3 ExtremeControl has the ability to use multiple RADIUS certificates using EAP Group Mappings.
The determination of those certificates is done using EAP Group Mappings via the exchange of RADIUS packets to look at User-Name, NAS-IP-Address (Switch IP) or Calling-station-id (MAC Address), as per below:
You can then use a POSIX regular expression to find a match:
In my case there are two different certificate authorities, some clients will be signed by one, others will be signed by another. This is part of a migration to a new PKI. The issue here is that the only real distinction between client certificates presented to ExtremeControl will be the signing CA.
So the domain, user and NAS IP's in the RADIUS exchange are all going to be the same.
Is there a way to create a filter based on certificate signing CA, or something else I might be able to hook into to make the distinction?
Many thanks in advance.
As of 8.5.3 ExtremeControl has the ability to use multiple RADIUS certificates using EAP Group Mappings.
The determination of those certificates is done using EAP Group Mappings via the exchange of RADIUS packets to look at User-Name, NAS-IP-Address (Switch IP) or Calling-station-id (MAC Address), as per below:
You can then use a POSIX regular expression to find a match:
In my case there are two different certificate authorities, some clients will be signed by one, others will be signed by another. This is part of a migration to a new PKI. The issue here is that the only real distinction between client certificates presented to ExtremeControl will be the signing CA.
So the domain, user and NAS IP's in the RADIUS exchange are all going to be the same.
Is there a way to create a filter based on certificate signing CA, or something else I might be able to hook into to make the distinction?
Many thanks in advance.
