How to enable only EAP-TTLS type and not EAP-TLS?

Alan DeKok aland at deployingradius.com
Thu Jan 10 15:49:24 CET 2008


Reimer Karlsen-Masur, DFN-CERT wrote:
> Actually we were talking about server side config.

  Yes.  The server has been updated simplify configurations without
EAP-TLS, and to document the issues involved in certificates.

> Looking at the supplicant, the user strongly should enter a fully qualified
> name of the radius server he is expecting his authN is checked against and
> he strongly should make sure that his supplicant is checking hard that this
> FQDN matches the CN of the RADIUS server cert. Usually there is some
> checkbox/option to enable that behavior.

  I don't recall seeing that, to be honest.  wpa_supplicant doesn't have
that, and Windows doesn't have it.  They both have a "validate server
certificate" checkbox, but that only checks the CA chain, NOT the CN.

  Alan DeKok.



More information about the Freeradius-Users mailing list