virtual server configuration

Alan DeKok aland at deployingradius.com
Wed Mar 12 07:02:07 CET 2008


usawebbox at fastmail.fm wrote:
> When TLS is empty (i.e. TLS {}):

  Huh?  Why would you leave it empty?

  If you're not going to use TLS, delete the whole section.  It's just
like any other module.

> When TLS is removed:
> 
> rlm_eap: Unable to load EAP-Type/ttls, as EAP-Type/TLS is required
> first.

  If you're not going to use TTLS, delete that section, too.

> Or, if TTLS is also removed:
> 
> rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required
> first.
> 
> This makes sense, as I'll need my server cert for PEAP. If those certs
> have to be defined in the TLS block, what is the right way to disable
> TLS in this case, but still have PEAP working? 

  Don't issue client certificates.  EAP-TLS won't work.

> I tried deleting the
> CA_file, so I wouldn't be able to verify user certs, but it's required.
> Anyway, I don't want to offer TLS and fail it, I want to NAK it on
> server2.

  This is explained in the comments in eap.conf, above the "ttls" and
"peap" sections.

  Alan DeKok.



More information about the Freeradius-Users mailing list