concurrent TTLS and PEAP usage

Artur Hecker hecker at
Tue Aug 30 17:04:11 CEST 2005


we have a Wifi 802.1X network with both TTLS and PEAP users (TTLS/PAP 
mostly for non-windows machines, PEAP/MSCHAPv2 for windows machines). 
(we also have TLS users, but that's out of scope).

both work like a charm. however, we'd like to prevent PEAP accounts to 
log in with TTLS and vice-versa (that's a pure policy decision - one 
user profile should specify exactly one auth method). this works mainly 
because we store clear text passwords for both MSCHAPv2 and PAP.

assuming e.g. two users user_peap with PEAP/MS-CHAPv2 and user_ttls with 
TTLS/CHAP, we would like to modify the profile of the user user_peap so 
he can't change the exterior method to TTLS/PAP and vs.

note that we don't necessarily use exterior names (since e.g. MS Windows 
machines  do not permit to specify an alternative user name for the 
exterior EAP tunnel).

we naively try to specify EAP-Type == PEAP for user_peap and == TTLS for 
user_ttls but that breaks both methods (which seems normal since this 
EAP-Type definition is not correct for the internal EAP method which 
however uses the same user name).

i thought about specifying tunneled attributes as check items. it turns 
out that FR does not show them in the log and I believe that these are 
not the same for the PEAP and TTLS anyway.

thus the question to the list: how can I specify an "PEAP/MS-CHAPv2 
only" user profile? how can i specify a "TTLS/PAP only" user profile?


More information about the Freeradius-Users mailing list