"Rainer Brinkmann" <[EMAIL PROTECTED]> wrote: > we wonder, how a freeradius can request a client to use a fixed EAP-Method: > so its defined: > Client starts with EAP-Start-Msg > Radius wants EAP-Identity > Client answers with Username or Hostname NOT using a special EAP-Method
That isn't how EAP works. > you run in your wireless LAN many SSIDs: > SSID1 shall use EAP-TTLS > SSID2 shall use EAP-TLS (high-secured Net like personal Data) > > what logic starts the right inner-EAP-Protocol, cause neither the > AccessPoint(WLAN-Controller), nor the > radius server know, what Method to use, when there are many enabled. The supplicant. i.e. the laptop, usually. What you can do in the default config is something like the following: DEFAULT SSID == "SSID1", Eap-Type != EAP-TTLS, Auth-Type := Reject You'll have to look in the RADIUS packet to see how the SSID comes in, and match that. But that *should* reject anyone on SSID1 who isn't using TTLS. The reason you have to reject the request, rather than forcing people to use TTLS is that you *can't* force people to use TTLS. They use whatever they want, and the server has to deal with it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html