The "right" way to limit a user to one EAP Type

Alan DeKok aland at deployingradius.com
Mon Jul 23 17:13:14 CEST 2007


Artur Hecker wrote:
...
>> # group "foo" must use PEAP
>> DEFAULT	My-Group == "foo", EAP-Type != PEAP, Auth-Type := Reject
>>
>> # group "bar" must use TTLS
>> DEFAULT My-Group == "bar", EAP-Type != TTLS, Auth-Type := Reject
> 
> That's my problem - I think this cannot work with tunneled methods.

  Try CVS head.  You can have multiple virtual servers, *including*
different servers for PEAP and TTLS tunnels.  *Including* different
virtual servers for tunneled sessions, per NAS, or per user group, or...

  Much better.  Much easier.
>
...I have
> no idea how to OR these two (EAP-Type == PEAP OR EAP-MSCHAPv2), but  
> even that would not be satisfactory since it would allow to use brute  
> EAP-MSCHAPv2 without a tunnel.

DEFAULT FreeRADIUS-Proxied-To != 127.0.0.1, EAP-Type == EAP-MSCHAPv2,
Auth-Type := Reject

> If I'm not mistaken, it would be nice to have two different  
> attributes like EAP-Type and EAP-Inner-Type or something OR we need  
> different SQL queries for the inner and the outer methods  
> configurable... Am I wrong?

  Nope.  2.0 supports that.  Easily.

  Alan DeKok.



More information about the Freeradius-Users mailing list