concurrent TTLS and PEAP usage
hecker at enst.fr
Wed Aug 31 15:54:03 CEST 2005
thanks for your help. I think I understand the idea. however my problems
are on the implementation level.
two things are still not clear to me.
1. we use 'sql' and not 'files' (my fault i didn't mention it
previously) and thus I don't see how I can add the line below to my user
profile who already has things like User-Password ==..., etc. I tried
adding user user_ttls into group TTLS and then using radgroupcheck like
id User Attribute op Value
2 user_ttls EAP-Type != TTLS
3 user_ttls Auth-Type := Reject
but then user_ttls gets rejected. how do I implement it with SQL?
2. we experimented with EAP-Type, but at least for PEAP as soon as we
specify it somewhere in radcheck, PEAP breaks with a server error
message saying that the client has sent a TLV rejecting the connection.
Alan: like Stefan proposed I also thought about something like
FreeRadius-Proxied-To, because i think that you proposal might not work
as soon as the internal method starts for the user. Or don't external
methods use EAP-Type? (still I am not sure how to define "conditions" in
sql tables: if EAP-Type not this value, then add Auth-Type=...)
Alan DeKok wrote:
> Artur Hecker <hecker at enst.fr> wrote:
>>user_ttls EAP-Type != PEAP
>>that however only prohibits the usage of PEAP for user_ttls while i
>>would like to only enable TTLS for this specific user (which is not
>>quite the same).
> user_ttls EAP-Type != TTLS, Auth-Type := Reject
> See the dictionaries for EAP-Type names.
> Alan DeKok.
More information about the Freeradius-Users