problem to forcing TLS and reject PEAP
Ivan Kalik
tnt at kalik.net
Thu Jun 25 11:07:22 CEST 2009
> I insert in my users file this configuration item:
>
> DEFAULT Huntgroup-Name == wi-fi, Ldap-Group == "wifi", EAP-Type == PEAP,
> Auth-Type := Reject
>
> DEFAULT Huntgroup-Name == wi-fi, Ldap-Group == "wifi", EAP-Type == TLS
> Fall-Through = No
>
> DEFAULT Ldap-Group == "user", Huntgroup-Name == user
> Fall-Through = No
>
>
>
> The fist DEFAULT should reject the request if the EAP-type is PEAP,
> while the second DEFAULT should accept only the request if the EAP is
> TLS .... i think :-))
>
>
> but during the test i note that if i force wifi in PEAP, the request is
> reject from the second default, and not in the fist, this is the log:
>
> Wed Jun 24 14:02:36 2009 : Debug: users: Matched entry DEFAULT at
> line 3 ( line 3 is the second DEFAULT )
>
> the reject is because it dont is able to oepn tls
>
> If i try in TLS the system accept the request....
>
> The questions is....Why the Peap request dont match the fist DEFAULT ?
Because peap is treated as subsection of tls.
Use listen section to direct requests from wi-fi huntgroup clients to one
virtual server and user to another. Create two eap instances - one
standard, and one without peap configured. Use the one with peap disabled
in virtual server which processes wi-fi requests.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list