problem to forcing TLS and reject PEAP

Mauro Screti mauro.screti at
Wed Jun 24 15:23:50 CEST 2009

Hi all,

i need to authenicate in wireless network only users that use eap-tls as 
method, and reject the same user that try in peap.
I just use Huntgroup for filtering the users, but the same username can 
be used in wired network with PEAP and in wireless netwok by TLS.

I insert in my users file this configuration item:

DEFAULT Huntgroup-Name == wi-fi, Ldap-Group == "wifi", EAP-Type == PEAP, 
Auth-Type := Reject

DEFAULT Huntgroup-Name == wi-fi, Ldap-Group == "wifi", EAP-Type == TLS
    Fall-Through = No

DEFAULT Ldap-Group == "user", Huntgroup-Name == user
    Fall-Through = No

The fist DEFAULT should reject the request if  the EAP-type is PEAP, 
while the second DEFAULT should accept only the request if the EAP is 
TLS .... i think :-))

but during the test i note that if i force wifi in PEAP, the request is 
reject from the second default, and not in the fist, this is the log:

Wed Jun 24 14:02:36 2009 : Debug:     users: Matched entry DEFAULT at 
line 3  ( line 3 is the second DEFAULT )

the reject is because it dont is able to oepn tls

If i try in TLS  the system accept the request....

The questions is....Why the Peap request dont match the fist DEFAULT ?

thanks for all help


More information about the Freeradius-Users mailing list