Yes this is much better, but anyway I had disabled PEAP in eap.conf. thanks Rick Arran Cudbard-Bell ha scritto:
Riccardo Veraldi wrote:
I think there is a cleaner way. I enabled only EAP-TTLS and disabled EAP-TLS just puttting this lin in /etc/radddb/users
DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject
It works, I think Alan gave me this hint 1 year ago, maybe it could be put in the FAQ since it is an interesting way to solve the problem. Don't you want
DEFAULT EAP-Type != EAP-TTLS, Auth-Type := Reject
or in unlang
if("%{EAP-Type}" != 'EAP-TTLS'){ reject }
Rick
Reimer Karlsen-Masur, DFN-CERT ha scritto:
Hi,
nikitha george wrote on 09.01.2008 10:04:
Hi, I want to enable only TTLS authentication and if the client is requesting any other types EAP-TLS or PEAP the authentication should be denied.
within the eap section you must configure the tls and the ttls section. Delete the peap section.
I am running freeradius-1.1.6, and if try to disable EAP-TLS module the server itself is not starting up. Please let me know if there are any ways to achieve this.
Then to disable the eap-tls functionality you must create an *empty* directory e.g. ${raddbdir}/certs/trustedCAsForRoamingClients/ and then within the tls section define
CA_path = ${raddbdir}/certs/trustedCAsForRoamingClients/
Also you must remove the definition of the parameter
CA_file =
This way you don't have any accepted CAs in your config that are trusted CAs for issued client certificates for eap-tls authentication
Make sure though that you put the radius server certificate and its CA chain including the root CA certificate in PEM format into the file specified with the
certificate_file
option in the tls section.
HTH
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html