Hi all, i need to authenicate in wireless network only users that use eap-tls as method, and reject the same user that try in peap. I just use Huntgroup for filtering the users, but the same username can be used in wired network with PEAP and in wireless netwok by TLS. I insert in my users file this configuration item: DEFAULT Huntgroup-Name == wi-fi, Ldap-Group == "wifi", EAP-Type == PEAP, Auth-Type := Reject DEFAULT Huntgroup-Name == wi-fi, Ldap-Group == "wifi", EAP-Type == TLS Fall-Through = No DEFAULT Ldap-Group == "user", Huntgroup-Name == user Fall-Through = No The fist DEFAULT should reject the request if the EAP-type is PEAP, while the second DEFAULT should accept only the request if the EAP is TLS .... i think :-)) but during the test i note that if i force wifi in PEAP, the request is reject from the second default, and not in the fist, this is the log: Wed Jun 24 14:02:36 2009 : Debug: users: Matched entry DEFAULT at line 3 ( line 3 is the second DEFAULT ) the reject is because it dont is able to oepn tls If i try in TLS the system accept the request.... The questions is....Why the Peap request dont match the fist DEFAULT ? thanks for all help mauro
Mauro Screti wrote:
i need to authenicate in wireless network only users that use eap-tls as method, and reject the same user that try in peap.
If you're using 2.x, stop editing the "users" file, or the "huntgroup" file, and just write the policy in unlang. it will be clearer, and it is more likely to work.
DEFAULT Huntgroup-Name == wi-fi, Ldap-Group == "wifi", EAP-Type == TLS Fall-Through = No ... The fist DEFAULT should reject the request if the EAP-type is PEAP, while the second DEFAULT should accept only the request if the EAP is TLS .... i think :-))
No. The second request says "compare, and then do nothing". Alan DeKok.
I insert in my users file this configuration item:
DEFAULT Huntgroup-Name == wi-fi, Ldap-Group == "wifi", EAP-Type == PEAP, Auth-Type := Reject
DEFAULT Huntgroup-Name == wi-fi, Ldap-Group == "wifi", EAP-Type == TLS Fall-Through = No
DEFAULT Ldap-Group == "user", Huntgroup-Name == user Fall-Through = No
The fist DEFAULT should reject the request if the EAP-type is PEAP, while the second DEFAULT should accept only the request if the EAP is TLS .... i think :-))
but during the test i note that if i force wifi in PEAP, the request is reject from the second default, and not in the fist, this is the log:
Wed Jun 24 14:02:36 2009 : Debug: users: Matched entry DEFAULT at line 3 ( line 3 is the second DEFAULT )
the reject is because it dont is able to oepn tls
If i try in TLS the system accept the request....
The questions is....Why the Peap request dont match the fist DEFAULT ?
Because peap is treated as subsection of tls. Use listen section to direct requests from wi-fi huntgroup clients to one virtual server and user to another. Create two eap instances - one standard, and one without peap configured. Use the one with peap disabled in virtual server which processes wi-fi requests. Ivan Kalik Kalik Informatika ISP
participants (3)
-
Alan DeKok -
Ivan Kalik -
Mauro Screti