Re: concurrent TTLS and PEAP usage

[Artur Hecker]

Alan, Stefan

replying to myself:

using 'files' I've managed to make it work. the correct (working) 
configuration is:


user_ttls       FreeRadius-Proxied-To == "127.0.0.1", User-Password == 
"test_ttls"
                Session-Timeout = 3600

user_ttls       EAP-Type != EAP-TTLS
                Auth-Type := Reject

user_peap       FreeRadius-Proxied-To == "127.0.0.1", User-Password == 
"test_peap"
                Session-Timeout = 3600

user_peap       EAP-Type != PEAP
                Auth-Type := Reject


that does exactly what I wanted. works like a charm for both PEAP and 
TTLS users.

could somebody explain me how I can translate it into an SQL config?


ciao
artur



Artur Hecker wrote:

hi Alan
hi Stefan


thanks for your help. I think I understand the idea. however my problems 
are on the implementation level.

two things are still not clear to me.

1. we use 'sql' and not 'files' (my fault i didn't mention it 
previously) and thus I don't see how I can add the line below to my user 
profile who already has things like User-Password ==..., etc. I tried 
adding user user_ttls into group TTLS and then using radgroupcheck like 
this:

radgroupcheck:
id    User        Attribute    op    Value   
2     user_ttls     EAP-Type     !=     TTLS
3     user_ttls     Auth-Type    :=    Reject

but then user_ttls gets rejected. how do I implement it with SQL?

2. we experimented with EAP-Type, but at least for PEAP as soon as we 
specify it somewhere in radcheck, PEAP breaks with a server error 
message saying that the client has sent a TLV rejecting the connection.

Alan: like Stefan proposed I also thought about something like 
FreeRadius-Proxied-To, because i think that you proposal might not work 
as soon as the internal method starts for the user. Or don't external 
methods use EAP-Type? (still I am not sure how to define "conditions" in 
sql tables: if EAP-Type not this value, then add Auth-Type=...)


ciao
artur


Alan DeKok wrote:

Artur Hecker <[EMAIL PROTECTED]> wrote:

user_ttls    EAP-Type != PEAP

that however only prohibits the usage of PEAP for user_ttls while i 
would like to only enable TTLS for this specific user (which is not 
quite the same).



user_ttls   EAP-Type != TTLS, Auth-Type := Reject

  See the dictionaries for EAP-Type names.

  Alan DeKok.

- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html