problem to forcing TLS and reject PEAP

Alan DeKok aland at
Wed Jun 24 20:35:10 CEST 2009

Mauro Screti wrote:
> i need to authenicate in wireless network only users that use eap-tls as
> method, and reject the same user that try in peap.

  If you're using 2.x, stop editing the "users" file, or the "huntgroup"
file, and just write the policy in unlang.  it will be clearer, and it
is more likely to work.

> DEFAULT Huntgroup-Name == wi-fi, Ldap-Group == "wifi", EAP-Type == TLS
>    Fall-Through = No
> The fist DEFAULT should reject the request if  the EAP-type is PEAP,
> while the second DEFAULT should accept only the request if the EAP is
> TLS .... i think :-))

  No.  The second request says "compare, and then do nothing".

  Alan DeKok.

More information about the Freeradius-Users mailing list