concurrent TTLS and PEAP usage

Artur Hecker hecker at enst.fr
Wed Aug 31 15:54:03 CEST 2005


hi Alan
hi Stefan


thanks for your help. I think I understand the idea. however my problems 
are on the implementation level.

two things are still not clear to me.

1. we use 'sql' and not 'files' (my fault i didn't mention it 
previously) and thus I don't see how I can add the line below to my user 
profile who already has things like User-Password ==..., etc. I tried 
adding user user_ttls into group TTLS and then using radgroupcheck like 
this:

radgroupcheck:
id	User		Attribute	op	Value	
2 	user_ttls 	EAP-Type 	!= 	TTLS
3 	user_ttls 	Auth-Type	:=	Reject

but then user_ttls gets rejected. how do I implement it with SQL?

2. we experimented with EAP-Type, but at least for PEAP as soon as we 
specify it somewhere in radcheck, PEAP breaks with a server error 
message saying that the client has sent a TLV rejecting the connection.

Alan: like Stefan proposed I also thought about something like 
FreeRadius-Proxied-To, because i think that you proposal might not work 
as soon as the internal method starts for the user. Or don't external 
methods use EAP-Type? (still I am not sure how to define "conditions" in 
sql tables: if EAP-Type not this value, then add Auth-Type=...)


ciao
artur


Alan DeKok wrote:
> Artur Hecker <hecker at enst.fr> wrote:
> 
>>user_ttls	EAP-Type != PEAP
>>
>>that however only prohibits the usage of PEAP for user_ttls while i 
>>would like to only enable TTLS for this specific user (which is not 
>>quite the same).
> 
> 
> user_ttls   EAP-Type != TTLS, Auth-Type := Reject
> 
>   See the dictionaries for EAP-Type names.
> 
>   Alan DeKok.



More information about the Freeradius-Users mailing list