different default_eap_type for different users
Nicolas Boullis
nicolas.boullis at ecp.fr
Thu Jul 2 11:32:53 CEST 2009
Hello,
I'm currently in the process of switching from an old freeradius 1.1.6
to a more recent 2.0.4 (both with debian packages, rebuilt against openssl).
I used to support only 802.1x or WPA clients, all using PEAP/MSchapv2,
so I had default_eap_type=peap in my configuration. But now, I will also
have to support a few 802.1x clients using TLS or MD5.
The bad news is that some IP phones fail to authenticate when
default_eap_type=peap (they only support MD5). Changing to
default_eap_type=md5 works, but I'm not satsified with it since most
clients use PEAP...
In the default EAP configuration, it is written, about the
default_eap_type=peap option:
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
Hence, I thought I would use the hints file to force EAP-Type (the good
news is that I can recognize the IP phones with their username):
CP-7942G-SEP0024C4BE96B7
EAP-Type = MD5-Challenge
But this apparently does not work.
I also tried to have several eap instances, and check User-Name to know
which one to use in the authorize and authenticate section:
if (User-Name == "CP-7942G-SEP0024C4BE96B7") {
eap_ipphones
}
else {
eap
}
But then freeradius -X fails to start with:
/etc/freeradius/sites-enabled/default[234]: Unknown Auth-Type
"(User-Name == "CP-7942G-SEP0024C4BE96B7")" in authenticate sub-section.
Is there a way I can have per-user default_eap_type?
Regards,
--
Nicolas Boullis
Ecole Centrale Paris
France
More information about the Freeradius-Users
mailing list