concurrent TTLS and PEAP usage

Artur Hecker hecker at enst.fr
Wed Aug 31 22:33:38 CEST 2005 

Alan, Stefan


replying to myself:

using 'files' I've managed to make it work. the correct (working) 
configuration is:


user_ttls       FreeRadius-Proxied-To == "127.0.0.1", User-Password == 
"test_ttls"
                 Session-Timeout = 3600

user_ttls       EAP-Type != EAP-TTLS
                 Auth-Type := Reject

user_peap       FreeRadius-Proxied-To == "127.0.0.1", User-Password == 
"test_peap"
                 Session-Timeout = 3600

user_peap       EAP-Type != PEAP
                 Auth-Type := Reject


that does exactly what I wanted. works like a charm for both PEAP and 
TTLS users.

could somebody explain me how I can translate it into an SQL config?


ciao
artur



Artur Hecker wrote:
> 
> hi Alan
> hi Stefan
> 
> 
> thanks for your help. I think I understand the idea. however my problems 
> are on the implementation level.
> 
> two things are still not clear to me.
> 
> 1. we use 'sql' and not 'files' (my fault i didn't mention it 
> previously) and thus I don't see how I can add the line below to my user 
> profile who already has things like User-Password ==..., etc. I tried 
> adding user user_ttls into group TTLS and then using radgroupcheck like 
> this:
> 
> radgroupcheck:
> id    User        Attribute    op    Value   
> 2     user_ttls     EAP-Type     !=     TTLS
> 3     user_ttls     Auth-Type    :=    Reject
> 
> but then user_ttls gets rejected. how do I implement it with SQL?
> 
> 2. we experimented with EAP-Type, but at least for PEAP as soon as we 
> specify it somewhere in radcheck, PEAP breaks with a server error 
> message saying that the client has sent a TLV rejecting the connection.
> 
> Alan: like Stefan proposed I also thought about something like 
> FreeRadius-Proxied-To, because i think that you proposal might not work 
> as soon as the internal method starts for the user. Or don't external 
> methods use EAP-Type? (still I am not sure how to define "conditions" in 
> sql tables: if EAP-Type not this value, then add Auth-Type=...)
> 
> 
> ciao
> artur
> 
> 
> Alan DeKok wrote:
> 
>> Artur Hecker <hecker at enst.fr> wrote:
>>
>>> user_ttls    EAP-Type != PEAP
>>>
>>> that however only prohibits the usage of PEAP for user_ttls while i 
>>> would like to only enable TTLS for this specific user (which is not 
>>> quite the same).
>>
>>
>>
>> user_ttls   EAP-Type != TTLS, Auth-Type := Reject
>>
>>   See the dictionaries for EAP-Type names.
>>
>>   Alan DeKok.
> 
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list