different EAP methods for different users

Alan DeKok aland at deployingradius.com
Fri Nov 9 15:12:27 CET 2012


Stefano Zanmarchi wrote:
> we're currently supporting only PEAP, that is we base our security on
> passwords.
> We'd like to introduce higher security for a limited set of users this way:
> 1. support both PEAP and EAP/TTLS
> 2. configure freeradius to authenticate these users (stored in a local
> table)
>    *only* if they use EAP/TTLS. They should *not* be authenticated if
>    they used PEAP.

  Put the users into a group.  Then, in the "authorize" section, after
"eap", do:


    if ((EAP-Type == PEAP) && (My-Group == "notpeap")) {
	reject
    }

  See "man rlm_passwd" for examples of creating a group.

  Alan DeKok.


More information about the Freeradius-Users mailing list