RES: Re: PEAP/EAP-TLS with client and server certificate

Marcelo Augusto Rodrigues Pimentel marcelo.pimentel at cgu.gov.br
Tue Apr 24 14:59:30 CEST 2007



>             I?m trying to configure freeradius with PEAP + EAP-TLS, but
> I?m making some confusion to configure the radiusd.conf  (sections
> authorize and authentication) and eap.conf.
> 
>             Have someone implemented this configuration?
>
>  Yes.  Many people.
>
>             In the eap.conf file the default eap type is TLS or PEAP?
>
>  If you're doing PEAP, then it should be peap.
>
>             What I?ve to configure in the authorize and authentication
> sections?
>
>  For basic peap, not much.  Just configure "eap.conf".

OK. But I´m trying to use peap to make an encrypted tunnel validating the server certificate and then I want to authenticate the clients whith EAP-TLS using client/server certificate. The TLS tunnel is working fine, but the second part of EAP-TLS authentication not.

So .... in the peap section in the eap.conf, what I´ve to configure for default eap type? Is tls ? If I configure tls, I´ve to create a tls section in the peap section or the tls section of the eap.conf is enough. I´ve attached my eap.conf file.

Thank´s !!


eap.conf

eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no

# Supported EAP-types
# EAP-TLS
tls {
private_key_password = xxxxxxxxxxxxxxxxx
private_key_file = ${raddbdir}/certs/freeradius_key.pem
certificate_file = ${raddbdir}/certs/freeradius_cert.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024

include_length = yes
}

peap {
default_eap_type = tls
}

#tls {
#private_key_password = xxxxxxxxxxxxxxxxxxxxx
#private_key_file = ${raddbdir}/certs/freeradius_key.pem
#certificate_file = ${raddbdir}/certs/freeradius_cert.pem
#CA_file = ${raddbdir}/certs/demoCA/cacert.pem
#dh_file = ${raddbdir}/certs/dh
#random_file = ${raddbdir}/certs/random
#fragment_size = 1024
#include_length = yes
#}

#mschapv2 {
#}
}


> *FreeRADIUS Version 1.0.1*
>
>  Why not run 1.1.6, which has many more bug fixes and features?
>
>  Alan DeKok.
>--
>  http://deployingradius.com       - The web site of the book
>  http://deployingradius.com/blog/ - The blog



"Mensagem protegida por sigilo profissional. Sua utilização indevida sujeita o infrator às penas da lei. Não sendo seu destinatário, por favor, elimine-a e informe o equívoco ao emitente."

"This e-mail message and any attachment are intended exclusively for the named addressee. They may contain confidential information which may also be protected by professional secrecy. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use this message or any attachment or disclose the contents to anyone else. If this e-mail was sent to you by mistake please notify the sender immediately and delete this e-mail."




More information about the Freeradius-Users mailing list