hi
> > so what value would i set the EAP-Type attribute to? > > See the dictionary file for the values for the EAP-Type attribute no, i think we didn't understand each other. you are talking about Auth-Type := EAP which is set automatically by the EAP module in the authorize section. that's evident. what i want, is quite different _and_ quite necessary, given the potential generality of the EAP authentication methods. in the same manner like you can demand CHAP, PAP, MS-CHAP or whatever EAP on a per-user basis, i.e. reject EVERY request for this user NOT having the pre-defined (part of authorization) authentication type, you should be capable of defining which EAP subtype the user is trying to use. EAP can be potentially as simple as CHAP or based on certificates, kerberos or GSM-SIM cards. so, it's crucial to be able to control that. you don't want your users to freely choose the possibly weakest authentication method. you probably want to enforce ONE and only method per user. a propos, that was strongly recommended for all RADIUS servers. now if you enforce Auth-Type := EAP, you effectively do not enforce _anything_, since it can be almost everything. we should probably add a kind of Auth-Type := EAP/MD5 possibility and then, in the code fragment you posted, we should check if the provided EAP type matches the preconfigured one. if yes, the authentication can take place. if not, the reject should be sent. for example... i thought even, that it would be possible by defining instances of the eap module with different default_types. but then, the eap module should set the Auth-Type to the subtype and only if the provided EAP-Message includes this one, and the code you mentioned should check as described above... imho... perhaps alan could say something on this matter, i'm far from being freeradius configuration possibilities expert :-) > > i don't want the user X just to grab the EAP-method Y and freeradius to > > use it if it finds it in user's request. i want freeradius to impose _a_ > > certain EAP subtype (and to deny user if it's not the configured one). > > >From a quick look at the rlm_eap sources i don't think that it is possible. that's exactly the problem. it's not. ciao & thanks artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
