usawebbox@fastmail.fm wrote:
When TLS is empty (i.e. TLS {}):
Huh? Why would you leave it empty? If you're not going to use TLS, delete the whole section. It's just like any other module.
When TLS is removed:
rlm_eap: Unable to load EAP-Type/ttls, as EAP-Type/TLS is required first.
If you're not going to use TTLS, delete that section, too.
Or, if TTLS is also removed:
rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first.
This makes sense, as I'll need my server cert for PEAP. If those certs have to be defined in the TLS block, what is the right way to disable TLS in this case, but still have PEAP working?
Don't issue client certificates. EAP-TLS won't work.
I tried deleting the CA_file, so I wouldn't be able to verify user certs, but it's required. Anyway, I don't want to offer TLS and fail it, I want to NAK it on server2.
This is explained in the comments in eap.conf, above the "ttls" and "peap" sections. Alan DeKok.