On Fri, 7 Nov 2003, Artur Hecker wrote: > hi > > > > > so what value would i set the EAP-Type attribute to? > > > > See the dictionary file for the values for the EAP-Type attribute > > no, i think we didn't understand each other. you are talking about > Auth-Type := EAP which is set automatically by the EAP module in the > authorize section. that's evident.
We clearly aren't understanding each other :-) And you didn't read what i asked you to, because you would find out it's exactly what you want. Evidently i _wasn't_ talking about Auth-Type but about EAP-Type. So please read the dictionary file for the values for EAP-Type. > > what i want, is quite different _and_ quite necessary, given the > potential generality of the EAP authentication methods. in the same > manner like you can demand CHAP, PAP, MS-CHAP or whatever EAP on a > per-user basis, i.e. reject EVERY request for this user NOT having the > pre-defined (part of authorization) authentication type, you should be > capable of defining which EAP subtype the user is trying to use. > > EAP can be potentially as simple as CHAP or based on certificates, > kerberos or GSM-SIM cards. so, it's crucial to be able to control that. > you don't want your users to freely choose the possibly weakest > authentication method. you probably want to enforce ONE and only method > per user. > > a propos, that was strongly recommended for all RADIUS servers. now if > you enforce Auth-Type := EAP, you effectively do not enforce _anything_, > since it can be almost everything. > > we should probably add a kind of Auth-Type := EAP/MD5 possibility and > then, in the code fragment you posted, we should check if the provided > EAP type matches the preconfigured one. if yes, the authentication can > take place. if not, the reject should be sent. for example... That's exactly what the patch i sent will do (at least from my quick pass through the rlm_eap module code). > > i thought even, that it would be possible by defining instances of the > eap module with different default_types. but then, the eap module should > set the Auth-Type to the subtype and only if the provided EAP-Message > includes this one, and the code you mentioned should check as described > above... imho... > > perhaps alan could say something on this matter, i'm far from being > freeradius configuration possibilities expert :-) > > > > > i don't want the user X just to grab the EAP-method Y and freeradius to > > > use it if it finds it in user's request. i want freeradius to impose _a_ > > > certain EAP subtype (and to deny user if it's not the configured one). > > > > >From a quick look at the rlm_eap sources i don't think that it is possible. > > that's exactly the problem. it's not. > > > ciao & thanks > artur > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
