Thanks!<div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Nov 9, 2012 at 3:12 PM, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">Stefano Zanmarchi wrote:<br>
> we're currently supporting only PEAP, that is we base our security on<br>
> passwords.<br>
> We'd like to introduce higher security for a limited set of users this way:<br>
> 1. support both PEAP and EAP/TTLS<br>
> 2. configure freeradius to authenticate these users (stored in a local<br>
> table)<br>
> *only* if they use EAP/TTLS. They should *not* be authenticated if<br>
> they used PEAP.<br>
<br>
</div> Put the users into a group. Then, in the "authorize" section, after<br>
"eap", do:<br>
<br>
<br>
if ((EAP-Type == PEAP) && (My-Group == "notpeap")) {<br>
reject<br>
}<br>
<br>
See "man rlm_passwd" for examples of creating a group.<br>
<span class="HOEnZb"><font color="#888888"><br>
Alan DeKok.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</font></span></blockquote></div><br></div>