21 Mar
2009
21 Mar
'09
6:39 a.m.
I'm using Freeradius 2.1.1. My setup has been successfully authenticating TLS, TTLS, and PEAP for a while. Now I would like to deny TLS in the EAP negotiation, although the users will still have client certificates. I don't know how to reject TLS without breaking PEAP/TTLS.
Revoke the certificates.
Those methods require the TLS block, which must then have the CA cert to validate the server certificate, and the server continues to use that to validate user certs.
Problem: PEAP is my default EAP-type, but the client can nak it and choose EAP-TLS instead.
Remove { ok=return } from eap in authorize. Add this after eap entry: if(EAP-Type == EAP-TLS) { update control { Auth-Type := Reject } } Ivan Kalik Kalik Informatika ISP