Granting/denying access according auth-method

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Granting/denying access according auth-method

dump
Dear list,

I'm using freeradius 3 almost in standard config with mysql as storing
facility. I have PEAP an EAP active. Usually EAP via TLS or TTLS/PAP is
used, because the passphrases could be stored in SHA-1 encryption. PEAP
is sometimes necessary for me too but it uses MS-CHAPv2 which needs
cleartext-PW. Due to this I would like to restrict authentication vis
MS-CHAPv2 and reactivate it when needed.

I would prefer to do it via the radcheck-table for quickly activating
and deactivate is easily. I read that it's possible via users-file, but
I can't find any useful information/manual to me what to fill into the
radcheck tables.

May somebody have the idea or manual I need to follow/read?

Many thanks in advance and
best regards
Jens

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Granting/denying access according auth-method

Alan DeKok-2
On Nov 1, 2019, at 6:56 PM, [hidden email] wrote:
> I'm using freeradius 3 almost in standard config with mysql as storing
> facility. I have PEAP an EAP active. Usually EAP via TLS or TTLS/PAP is
> used, because the passphrases could be stored in SHA-1 encryption. PEAP
> is sometimes necessary for me too but it uses MS-CHAPv2 which needs
> cleartext-PW. Due to this I would like to restrict authentication vis
> MS-CHAPv2 and reactivate it when needed.

  You can reject authentications that use MS-CHAPv2.  But you can't really do much in the way of negotiation via the configuration files.

> I would prefer to do it via the radcheck-table for quickly activating
> and deactivate is easily. I read that it's possible via users-file, but
> I can't find any useful information/manual to me what to fill into the
> radcheck tables.
>
> May somebody have the idea or manual I need to follow/read?

  The best way to do it is to comment out the "peap" subsection of the "eap" module.  The server will then take care of negotiating an EAP type *other* than PEAP.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html