"Patrick Mowry (DHL US)" <[EMAIL PROTECTED]> wrote: > My understanding of Wireless 802.1x supports boils down to the AP > passing the EAP authentication to the backend radius server after the > initial EAPOL, but the actual EAP type used is up to the supplicant.
Yes, but the server has to agree. > I would like to use EAP-TLS for an SSID for wireless LAN access, and > LEAP (no other choice :( ) for wireless phones. But if the SSIDs > are configured on all APs, All APs point to a single FreeRadius > Backend configured for TLS, LEAP and PEAP; how do I prevent a > compromised LEAP account from being used to access the SSID > supposedly secured by EAP-TLS? Is the SSID in the RADIUS packet? If not, you can't key off of SSID to force EAP types. > Watching the logs with radiusd -X -A I do not see a field I can key > off of to limit the EAP type allowed. In the "users" file, you can do: bob EAP-Type := Cisco-LEAP to force that user to use a specific EAP type. See share/dictionary for the known VALUE's of the EAP-Type attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
