How to enable only EAP-TTLS type and not EAP-TLS?

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Wed Jan 9 10:45:04 CET 2008 

Riccardo Veraldi wrote:
> I think there is a cleaner way.
> I enabled only EAP-TTLS and disabled EAP-TLS just puttting this lin in 
> /etc/radddb/users
>
> DEFAULT        EAP-Type == EAP-TLS, Auth-Type := Reject
>
> It works, I think Alan gave me this hint 1 year ago, maybe it could be 
> put in the FAQ
> since it is an interesting way to solve the problem.
Don't you want

DEFAULT        EAP-Type != EAP-TTLS, Auth-Type := Reject

or in unlang

if("%{EAP-Type}" != 'EAP-TTLS'){
    reject
}
>
> Rick
>
> Reimer Karlsen-Masur, DFN-CERT ha scritto:
>> Hi,
>>
>> nikitha george wrote on 09.01.2008 10:04:
>>  
>>> Hi,
>>> I want to enable only TTLS authentication and if the client is
>>> requesting any other types EAP-TLS or PEAP the authentication should be
>>> denied.
>>>     
>>
>> within the eap section you must configure the tls and the ttls section.
>> Delete the peap section.
>>
>>  
>>> I am running freeradius-1.1.6, and if try to disable EAP-TLS module the
>>> server itself is not starting up.
>>> Please let me know if there are any ways to achieve this.
>>>     
>>
>> Then to disable the eap-tls functionality you must create an *empty*
>> directory  e.g. ${raddbdir}/certs/trustedCAsForRoamingClients/ and then
>> within the tls section define
>>
>> CA_path = ${raddbdir}/certs/trustedCAsForRoamingClients/
>>
>> Also you must remove the definition of the parameter
>>
>> CA_file =
>>
>> This way you don't have any accepted CAs in your config that are 
>> trusted CAs
>> for issued client certificates for eap-tls authentication
>>
>> Make sure though that you put the radius server certificate and its 
>> CA chain
>> including the root CA certificate in PEM format into the file 
>> specified with
>> the
>>
>> certificate_file
>>
>> option in the tls section.
>>
>> HTH
>>
>>   
>> ------------------------------------------------------------------------
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html


-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900

More information about the Freeradius-Users mailing list