need help - force EAP-TTLS to validate the server certificate

Klaus Laus superklausx at gmx.de
Thu Sep 16 13:37:51 CEST 2010 

>   Put this into the "users" file:
> 
> DEFAULT	EAP-TLS-Require-Client-Cert = yes

I did this, but the clients can login furthermore without any client certificate for example with PEAP or EAP-TTLS. Here is my users file:

DEFAULT	EAP-TLS-Require-Client-Cert = yes
testuser	Cleartext-Password := "xxxxxxx"
		Reply-Message = "Hello, %{User-Name}"
DEFAULT	Framed-Protocol == PPP
	Framed-Protocol = PPP,
	Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT	Hint == "CSLIP"
	Framed-Protocol = SLIP,
	Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT	Hint == "SLIP"
	Framed-Protocol = SLIP

Here's the eap.conf file

	eap {
		default_eap_type = md5
		timer_expire     = 60
		ignore_unknown_eap_types = no
		cisco_accounting_username_bug = no
		max_sessions = 2048
		md5 {
		}
		leap {
		}
		gtc {
			auth_type = PAP
		}
		tls {
			certdir = /etc/ssl
			cadir = /etc/ssl
			private_key_password = xxxxxx
			private_key_file = ${certdir}/serverkey.pem
			certificate_file = ${certdir}/servercert.pem
			CA_file = ${cadir}/cacert.pem
			dh_file = ${certdir}/dh
			random_file = ${certdir}/random
			check_crl = no
			CA_path = /etc/ssl
			cipher_list = "DEFAULT"
			cache {
			      enable = no
			      lifetime = 24 # hours
			      max_entries = 255
			}
		}
		ttls {
			default_eap_type = md5
			copy_request_to_tunnel = no
			use_tunneled_reply = no
			virtual_server = "inner-tunnel"
		}
		peap {
		        default_eap_type = mschapv2
			copy_request_to_tunnel = no
			use_tunneled_reply = no
			proxy_tunneled_request_as_eap = yes
			virtual_server = "inner-tunnel"
		}
		mschapv2 {
		}
	}


Any idea's what is wrong here? Thanks

-------- Original-Nachricht --------
> Datum: Thu, 16 Sep 2010 09:54:28 +0200
> Von: Alan DeKok <aland at deployingradius.com>
> An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Betreff: Re: need help - force EAP-TTLS to validate the server certificate

> Klaus Laus wrote:
> > Thanks a lot Alan DeKok, do I have any possibility to permit login only
> persons with username/password and client certificate?
> > All authentications methods works fine on my server, but I´ll only
> permit login with username/password and client certificate. Which code I need
> to set in users/eap.conf ? 
> > TLS works fine on my server and the users can login themselves with the
> client certificate, but I don´t want allow login without
> username/password, also I don´t want allow logins with username and password but without
> client certificates.
> 
>   Put this into the "users" file:
> 
> DEFAULT	EAP-TLS-Require-Client-Cert = yes
> 
>   This will require client certificates for *all* EAP methods.  If you
> want it to be more specific, see "man unlang" for writing general
> policies.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-- 
GRATIS: Spider-Man 1-3 sowie 300 weitere Videos!
Jetzt freischalten! http://portal.gmx.net/de/go/maxdome

More information about the Freeradius-Users mailing list