PEAP/TTLS
Alan DeKok
aland at deployingradius.com
Fri Sep 23 21:30:23 CEST 2016
On Sep 23, 2016, at 3:20 PM, Peter Lesko <plesko at blispay.com> wrote:
>
> I'm having a similar issue to the one described here:
> http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-td3238845.html
>
> Currently, I can auth with just a signed cert, or just username/password
>
> I would like to enforce both, but I have been unable to determine the
> correct keywords/config after reading many forum posts, in addition to the
> comments provided in the default configuration
OK...
> I have attempted to add this config line to enforce signed certs in
> sites-available/default:
> EAP-TLS-Require-Client-Cert = yes
>
> This causes freeradius not to start for me though,
The server produces an error message when run in debug mode. Are you reading it?
Or, maybe you're not even using debug mode. Why not?
> and I'm pretty certain I
> have tried putting that in each block present in the file
Don't "try hard". Follow the documentation and examples.
You CANNOT just put that text into the default virtual server, and expect it to work. The format of that file is documented. Please read "man unlang".
> As for requiring user/password auth, I have tried:
>
> DEFAULT EAP-Type == EAP-Type-TLS, Auth-Type := Reject
> Which causes freeradius to fail to load
It may be useful to read the error message it produces.
> DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject
> Which still allows EAP-TLS only
>
> DEFAULT EAP-Type != PEAP, Auth-Type := Reject
> Which still allows EAP-TLS only as well
>
> Please advise
Read the documentation and examples to see how the server works. Don't invent your own syntax.
In the "authorize" section, add:
update control {
EAP-TLS-Require-Client-Cert = yes
}
Alan DeKok.
More information about the Freeradius-Users
mailing list