Artur Hecker wrote: ... >> # group "foo" must use PEAP >> DEFAULT My-Group == "foo", EAP-Type != PEAP, Auth-Type := Reject >> >> # group "bar" must use TTLS >> DEFAULT My-Group == "bar", EAP-Type != TTLS, Auth-Type := Reject > > That's my problem - I think this cannot work with tunneled methods.
Try CVS head. You can have multiple virtual servers, *including* different servers for PEAP and TTLS tunnels. *Including* different virtual servers for tunneled sessions, per NAS, or per user group, or... Much better. Much easier. > ...I have > no idea how to OR these two (EAP-Type == PEAP OR EAP-MSCHAPv2), but > even that would not be satisfactory since it would allow to use brute > EAP-MSCHAPv2 without a tunnel. DEFAULT FreeRADIUS-Proxied-To != 127.0.0.1, EAP-Type == EAP-MSCHAPv2, Auth-Type := Reject > If I'm not mistaken, it would be nice to have two different > attributes like EAP-Type and EAP-Inner-Type or something OR we need > different SQL queries for the inner and the outer methods > configurable... Am I wrong? Nope. 2.0 supports that. Easily. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
