basic handling of multiple EAP-Methods by freerad

Alan DeKok aland at
Thu Jun 29 18:49:07 CEST 2006

"Rainer Brinkmann" <brinkman at> wrote:
> we wonder, how a freeradius can request a client to use a fixed EAP-Method:
> so its defined:
> Client starts with EAP-Start-Msg
> Radius wants EAP-Identity
> Client answers with Username or Hostname NOT using a special EAP-Method

  That isn't how EAP works.

> you run in your wireless LAN many SSIDs:
> SSID1 shall use EAP-TTLS
> SSID2 shall use EAP-TLS    (high-secured Net like personal Data)
> what logic starts the right inner-EAP-Protocol, cause neither the
> AccessPoint(WLAN-Controller), nor the
> radius server know, what Method to use, when there are many enabled.

  The supplicant.  i.e. the laptop, usually.

  What you can do in the default config is something like the following:

DEFAULT SSID == "SSID1", Eap-Type != EAP-TTLS, Auth-Type := Reject

  You'll have to look in the RADIUS packet to see how the SSID comes
in, and match that.  But that *should* reject anyone on SSID1 who
isn't using TTLS.

  The reason you have to reject the request, rather than forcing
people to use TTLS is that you *can't* force people to use TTLS.  They
use whatever they want, and the server has to deal with it.

  Alan DeKok.

More information about the Freeradius-Users mailing list