On Mon, 2007-07-23 at 10:20 +0200, Artur Hecker wrote:
Hello
In the default configuration, if a User-Password is defined for a user, the user can be authenticated by all applicable authentication types. That is the sense and the beauty of the default configuration :-)
However, in a practical deployment, a serious security policy is likely to state the contrary: every user (or usergroup) should be authenticated by exactly one authentication method.
Why? Surely a method is either secure (in which case you'd let people use it) or insecure (in which case you'd let no-one use it)? I would consider our deployment "practical" (>20k users, almost 400 APs) and we don't care what method they use, as long as it's secure and generates keys.
What is the "right" (recommended) way to do it? Could not find anything on that in Wiki. (Would be glad to add it, when finished).
Do you want to restrict everyone to a single EAP type, or different people/groups to different EAP types?
Background: I used to restrict users by explicitly setting for them (their group) EAP-Type := something, according to the user profile. However, as of 1.1.6, my wireless PEAP(-MSCHAPv2) user authentication does not work anymore as before: the inner PEAP authentication fails with "cannot tunnel TLS in TLS", most probably since the authorize module (sql) sets EAP-Type := PEAP. It *may* be just me though.
Yeah, don't do that. Have something like: authorize { preprocess eap files } in "users": # group "foo" must use PEAP DEFAULT My-Group == "foo", EAP-Type != PEAP, Auth-Type := Reject # group "bar" must use TTLS DEFAULT My-Group == "bar", EAP-Type != TTLS, Auth-Type := Reject My-Group might be populated using rlm_passwd, or you might use SQL-Group or LDAP-Group or whatever. However, this only restricts the outer EAP type, *AND* relies on the outer ID being the same as the inner ID i.e. you get no anonymous outer ID.