The "right" way to limit a user to one EAP Type
Artur Hecker
hecker at wave-storm.com
Mon Jul 23 10:20:42 CEST 2007
Hello
In the default configuration, if a User-Password is defined for a
user, the user can be authenticated by all applicable authentication
types. That is the sense and the beauty of the default configuration :-)
However, in a practical deployment, a serious security policy is
likely to state the contrary: every user (or usergroup) should be
authenticated by exactly one authentication method.
What is the "right" (recommended) way to do it? Could not find
anything on that in Wiki. (Would be glad to add it, when finished).
Background: I used to restrict users by explicitly setting for them
(their group) EAP-Type := something, according to the user profile.
However, as of 1.1.6, my wireless PEAP(-MSCHAPv2) user authentication
does not work anymore as before: the inner PEAP authentication fails
with "cannot tunnel TLS in TLS", most probably since the authorize
module (sql) sets EAP-Type := PEAP. It *may* be just me though.
thanks
artur
More information about the Freeradius-Users
mailing list