Artur Hecker wrote: ...
# group "foo" must use PEAP DEFAULT My-Group == "foo", EAP-Type != PEAP, Auth-Type := Reject
# group "bar" must use TTLS DEFAULT My-Group == "bar", EAP-Type != TTLS, Auth-Type := Reject
That's my problem - I think this cannot work with tunneled methods.
Try CVS head. You can have multiple virtual servers, *including* different servers for PEAP and TTLS tunnels. *Including* different virtual servers for tunneled sessions, per NAS, or per user group, or... Much better. Much easier.
...I have
no idea how to OR these two (EAP-Type == PEAP OR EAP-MSCHAPv2), but even that would not be satisfactory since it would allow to use brute EAP-MSCHAPv2 without a tunnel.
DEFAULT FreeRADIUS-Proxied-To != 127.0.0.1, EAP-Type == EAP-MSCHAPv2, Auth-Type := Reject
If I'm not mistaken, it would be nice to have two different attributes like EAP-Type and EAP-Inner-Type or something OR we need different SQL queries for the inner and the outer methods configurable... Am I wrong?
Nope. 2.0 supports that. Easily. Alan DeKok.