hi Alan hi Stefan thanks for your help. I think I understand the idea. however my problems are on the implementation level. two things are still not clear to me. 1. we use 'sql' and not 'files' (my fault i didn't mention it previously) and thus I don't see how I can add the line below to my user profile who already has things like User-Password ==..., etc. I tried adding user user_ttls into group TTLS and then using radgroupcheck like this: radgroupcheck: id User Attribute op Value 2 user_ttls EAP-Type != TTLS 3 user_ttls Auth-Type := Reject but then user_ttls gets rejected. how do I implement it with SQL? 2. we experimented with EAP-Type, but at least for PEAP as soon as we specify it somewhere in radcheck, PEAP breaks with a server error message saying that the client has sent a TLV rejecting the connection. Alan: like Stefan proposed I also thought about something like FreeRadius-Proxied-To, because i think that you proposal might not work as soon as the internal method starts for the user. Or don't external methods use EAP-Type? (still I am not sure how to define "conditions" in sql tables: if EAP-Type not this value, then add Auth-Type=...) ciao artur Alan DeKok wrote:
Artur Hecker <hecker@enst.fr> wrote:
user_ttls EAP-Type != PEAP
that however only prohibits the usage of PEAP for user_ttls while i would like to only enable TTLS for this specific user (which is not quite the same).
user_ttls EAP-Type != TTLS, Auth-Type := Reject
See the dictionaries for EAP-Type names.
Alan DeKok.