How to enable only EAP-TTLS type and not EAP-TLS?

Alan DeKok aland at deployingradius.com
Thu Jan 10 11:26:55 CET 2008


Reimer Karlsen-Masur, DFN-CERT wrote:
> This is definitely more elegant than my suggestion but I found that many
> FreeRADIUS admins get confused by the
> 
> CA_file
> CA_path
> 
> options. They think that they need to place the CA chain from *their
> FreeRADIUS servers SSL certificate* in the file/directory specified in above
> options.

  I've added some comments in eap.cnf && raddb/certs/README explaining
more about these issues.

> But by doing so they most likely implicitly trust these CAs for
> client authentication via eap-tls, ie. they enabled EAP-TLS with some set of
> trusted CAs that were never intended to authenticate client certs for their
> organisation.

  That's the whole purpose of CA_file, to be honest.

> Whereas the CA chain of *their FreeRADIUS servers SSL certificate* should be
> appended to the server certificate file specified with the
> 
> certificate_file
> 
> option.

  That is another way of doing it.

> So since specifying an empty CA_file does not work (FreeRADIUS does not
> start) the only way for a really clean minimal config that is not allowing
> EAP-TLS is to have an empty CA_path directory.

  That sounds reasonable.  I've updated the code to permit CA_file to be
empty, and added comments in eap.conf && raddb/certs/README about this.

  Alan DeKok.



More information about the Freeradius-Users mailing list