Allow PEAP and TTLS, but reject TLS

tnt at kalik.net tnt at kalik.net
Sat Mar 21 11:39:34 CET 2009


>I'm using Freeradius 2.1.1. My setup has been successfully
>authenticating TLS, TTLS, and PEAP for a while. Now I would like to deny
>TLS in the EAP negotiation, although the users will still have client
>certificates. I don't know how to reject TLS without breaking PEAP/TTLS.

Revoke the certificates.

>Those methods require the TLS block, which must then have the CA cert to
>validate the server certificate, and the server continues to use that to
>validate user certs.
>
>Problem: PEAP is my default EAP-type, but the client can nak it and
>choose EAP-TLS instead.
> 

Remove { ok=return } from eap in authorize. Add this after eap entry:


if(EAP-Type == EAP-TLS) {
     update control {
          Auth-Type := Reject
     }
}

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list