The "right" way to limit a user to one EAP Type

[Phil Mayers]

On Mon, 2007-07-23 at 10:20 +0200, Artur Hecker wrote:
> Hello
> 
> 
> In the default configuration, if a User-Password is defined for a  
> user, the user can be authenticated by all applicable authentication  
> types. That is the sense and the beauty of the default configuration :-)
> 
> However, in a practical deployment, a serious security policy is  
> likely to state the contrary: every user (or usergroup) should be  
> authenticated by exactly one authentication method.

Why?

Surely a method is either secure (in which case you'd let people use it)
or insecure (in which case you'd let no-one use it)?

I would consider our deployment "practical" (>20k users, almost 400 APs)
and we don't care what method they use, as long as it's secure and
generates keys.

> 
> What is the "right" (recommended) way to do it? Could not find  
> anything on that in Wiki. (Would be glad to add it, when finished).

Do you want to restrict everyone to a single EAP type, or different
people/groups to different EAP types?

> 
> 
> Background: I used to restrict users by explicitly setting for them  
> (their group) EAP-Type := something, according to the user profile.  
> However, as of 1.1.6, my wireless PEAP(-MSCHAPv2) user authentication  
> does not work anymore as before: the inner PEAP authentication fails  
> with "cannot tunnel TLS in TLS", most probably since the authorize  
> module (sql) sets EAP-Type := PEAP. It *may* be just me though.

Yeah, don't do that. Have something like:

authorize {
  preprocess
  eap
  files
}

in "users":

# group "foo" must use PEAP
DEFAULT	My-Group == "foo", EAP-Type != PEAP, Auth-Type := Reject

# group "bar" must use TTLS
DEFAULT My-Group == "bar", EAP-Type != TTLS, Auth-Type := Reject


My-Group might be populated using rlm_passwd, or you might use SQL-Group
or LDAP-Group or whatever.

However, this only restricts the outer EAP type, *AND* relies on the
outer ID being the same as the inner ID i.e. you get no anonymous outer
ID.