Hello
In the default configuration, if a User-Password is defined for a user, the user can be authenticated by all applicable authentication types. That is the sense and the beauty of the default configuration :-) However, in a practical deployment, a serious security policy is likely to state the contrary: every user (or usergroup) should be authenticated by exactly one authentication method. What is the "right" (recommended) way to do it? Could not find anything on that in Wiki. (Would be glad to add it, when finished). Background: I used to restrict users by explicitly setting for them (their group) EAP-Type := something, according to the user profile. However, as of 1.1.6, my wireless PEAP(-MSCHAPv2) user authentication does not work anymore as before: the inner PEAP authentication fails with "cannot tunnel TLS in TLS", most probably since the authorize module (sql) sets EAP-Type := PEAP. It *may* be just me though. thanks artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
