Allow EAP-TLS and EAP-TTLS

[Jason]

I'm trying to set up TekRADIUS LT to only allow EAP-TLS and EAP-TTLS connections. I set the default group like this:

And a second group like this:

When I attempt an EAP-TTLS connection, it fails, and the log shows Unsupported authentication method. EAP-TLS connections are successful. Shouldn't the Next-group setting allow EAP-TTLS connections?

If I change the Authentication-Method to EAP-TTLS on the default group, EAP-TTLS connections are successful. EAP-TLS connections also continue to be successful. Shouldn't EAP-TLS connections be denied in this case, and only EAP-TTLS connections allowed?

I have the Default EAP method set to EAP-TLS under Settings > Service Parameters > Authentication.

Is this expected behavior, or am I missing something?

Thank you

[Yasin KAPLAN]

Hi,

Next-Gorup hunting is not support with EAP authentication methods.

Best regards,

Yasin KAPLAN

[Jason]

Thank you.

Does that mean policy matching is also not supported for EAP authentication methods?

Is there a reason why EAP-TLS connections continue to be successful, when Authentication-Method is set to EAP-TTLS on the default group? Shouldn't EAP-TLS connections be denied in this case, and only EAP-TTLS connections allowed?

[Yasin KAPLAN]

Correct, policy matching cannot be used in this scenario too.

I need to see TekRADIUS log for the EAP-TLS case.