Disable PEAP-TLS but allow PEAP

Matthew Newton mcn4 at leicester.ac.uk
Tue Aug 14 19:21:34 CEST 2012


Hi,

On Tue, Aug 14, 2012 at 04:09:01PM +0100, Phil Mayers wrote:
> On 14/08/12 15:57, Cotton, Jesse wrote:
> >I’ve read several posts about this and none have been helpful.
> 
> In the current version of the server, I think this is hard.

As mentioned, comment out CA_file in eap.conf.

To reinforce it, you can add

  if (EAP-Type == "EAP-TLS") {
      reject
  }

after 'eap' in the authorize section of your outer server (likely
default), or add something like

DEFAULT  EAP-Type == EAP-TLS, Auth-Type := Reject

to your users file.


> It may be easier in the HEAD / 3.0 code.

It is -

In 3.0, EAP-TLS has be separated from PEAP and EAP-TTLS. So you
can update the TLS configuration in mods-enabled/eap to the new
tls-config format, and then just comment out the tls {} section.
(So, in the default 3.0 config, just comment out the tls{}
section.)

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list