Sorry, still lost: In the tls-config tls-common I see a flag set for : # Disable_tlsv1_2 = no [that is commented out]… And a # check_cert_issuer = And a # check_cert_cn = The tls config per se : Tls { Just points back to the tls-config tls-common I believe… If you want to take this discussion off line because it is somewhat security sensitive, I am jtobin@po-box.esu.edu. Sincerely, tob On 3/23/17, 15:38, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+jtobin=po-box.esu.edu@lists.freeradius.org on behalf of aland@deployingradius.com> wrote:
On Mar 23, 2017, at 2:34 PM, John Tobin <jtobin@po-box.esu.edu> wrote:
Where is the tls 1.2 negotiation documented, I am somewhat of a newbie, I did search google for tls disable free radiusd, etc. didn¹t see anything like a disable switch/ or option, but then I may not have been looking in the right place.
Google is generally worse than reading the server's documentation, or the config files.
For EAP-TLS methods... edit the EAP module configuration. i.e. raddb/mods-available/eap. Look for "tls".
Give me a word on the tls situation. I do get it, if you don¹t include the client cert, then the TLS [with the server cert installed] checks to make sure you have the correct server, and the client authentication is by userid / Password. But that is kind of a miss of true TLS which would need both the server and the client cert supported.
You can use EAP-TLS, too. You don't need passwords.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html