The "right" way to limit a user to one EAP Type
Alan DeKok
aland at deployingradius.com
Mon Jul 23 17:13:14 CEST 2007
Artur Hecker wrote:
...
>> # group "foo" must use PEAP
>> DEFAULT My-Group == "foo", EAP-Type != PEAP, Auth-Type := Reject
>>
>> # group "bar" must use TTLS
>> DEFAULT My-Group == "bar", EAP-Type != TTLS, Auth-Type := Reject
>
> That's my problem - I think this cannot work with tunneled methods.
Try CVS head. You can have multiple virtual servers, *including*
different servers for PEAP and TTLS tunnels. *Including* different
virtual servers for tunneled sessions, per NAS, or per user group, or...
Much better. Much easier.
>
...I have
> no idea how to OR these two (EAP-Type == PEAP OR EAP-MSCHAPv2), but
> even that would not be satisfactory since it would allow to use brute
> EAP-MSCHAPv2 without a tunnel.
DEFAULT FreeRADIUS-Proxied-To != 127.0.0.1, EAP-Type == EAP-MSCHAPv2,
Auth-Type := Reject
> If I'm not mistaken, it would be nice to have two different
> attributes like EAP-Type and EAP-Inner-Type or something OR we need
> different SQL queries for the inner and the outer methods
> configurable... Am I wrong?
Nope. 2.0 supports that. Easily.
Alan DeKok.
More information about the Freeradius-Users
mailing list