concurrent TTLS and PEAP usage

Artur Hecker hecker at
Wed Aug 31 15:54:03 CEST 2005

hi Alan
hi Stefan

thanks for your help. I think I understand the idea. however my problems 
are on the implementation level.

two things are still not clear to me.

1. we use 'sql' and not 'files' (my fault i didn't mention it 
previously) and thus I don't see how I can add the line below to my user 
profile who already has things like User-Password ==..., etc. I tried 
adding user user_ttls into group TTLS and then using radgroupcheck like 

id	User		Attribute	op	Value	
2 	user_ttls 	EAP-Type 	!= 	TTLS
3 	user_ttls 	Auth-Type	:=	Reject

but then user_ttls gets rejected. how do I implement it with SQL?

2. we experimented with EAP-Type, but at least for PEAP as soon as we 
specify it somewhere in radcheck, PEAP breaks with a server error 
message saying that the client has sent a TLV rejecting the connection.

Alan: like Stefan proposed I also thought about something like 
FreeRadius-Proxied-To, because i think that you proposal might not work 
as soon as the internal method starts for the user. Or don't external 
methods use EAP-Type? (still I am not sure how to define "conditions" in 
sql tables: if EAP-Type not this value, then add Auth-Type=...)


Alan DeKok wrote:
> Artur Hecker <hecker at> wrote:
>>user_ttls	EAP-Type != PEAP
>>that however only prohibits the usage of PEAP for user_ttls while i 
>>would like to only enable TTLS for this specific user (which is not 
>>quite the same).
> user_ttls   EAP-Type != TTLS, Auth-Type := Reject
>   See the dictionaries for EAP-Type names.
>   Alan DeKok.

More information about the Freeradius-Users mailing list