9 Nov
2012
9 Nov
'12
9:12 a.m.
Stefano Zanmarchi wrote:
we're currently supporting only PEAP, that is we base our security on passwords. We'd like to introduce higher security for a limited set of users this way: 1. support both PEAP and EAP/TTLS 2. configure freeradius to authenticate these users (stored in a local table) *only* if they use EAP/TTLS. They should *not* be authenticated if they used PEAP.
Put the users into a group. Then, in the "authorize" section, after "eap", do: if ((EAP-Type == PEAP) && (My-Group == "notpeap")) { reject } See "man rlm_passwd" for examples of creating a group. Alan DeKok.