How to enable only EAP-TTLS type and not EAP-TLS?
Riccardo Veraldi
Riccardo.Veraldi at cnaf.infn.it
Wed Jan 9 10:38:31 CET 2008
I think there is a cleaner way.
I enabled only EAP-TTLS and disabled EAP-TLS just puttting this lin in
/etc/radddb/users
DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject
It works, I think Alan gave me this hint 1 year ago, maybe it could be
put in the FAQ
since it is an interesting way to solve the problem.
Rick
Reimer Karlsen-Masur, DFN-CERT ha scritto:
> Hi,
>
> nikitha george wrote on 09.01.2008 10:04:
>
>> Hi,
>> I want to enable only TTLS authentication and if the client is
>> requesting any other types EAP-TLS or PEAP the authentication should be
>> denied.
>>
>
> within the eap section you must configure the tls and the ttls section.
> Delete the peap section.
>
>
>> I am running freeradius-1.1.6, and if try to disable EAP-TLS module the
>> server itself is not starting up.
>> Please let me know if there are any ways to achieve this.
>>
>
> Then to disable the eap-tls functionality you must create an *empty*
> directory e.g. ${raddbdir}/certs/trustedCAsForRoamingClients/ and then
> within the tls section define
>
> CA_path = ${raddbdir}/certs/trustedCAsForRoamingClients/
>
> Also you must remove the definition of the parameter
>
> CA_file =
>
> This way you don't have any accepted CAs in your config that are trusted CAs
> for issued client certificates for eap-tls authentication
>
> Make sure though that you put the radius server certificate and its CA chain
> including the root CA certificate in PEM format into the file specified with
> the
>
> certificate_file
>
> option in the tls section.
>
> HTH
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list