Put this into the "users" file:
DEFAULT EAP-TLS-Require-Client-Cert = yes
I did this, but the clients can login furthermore without any client certificate for example with PEAP or EAP-TTLS. Here is my users file: DEFAULT EAP-TLS-Require-Client-Cert = yes testuser Cleartext-Password := "xxxxxxx" Reply-Message = "Hello, %{User-Name}" DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP Here's the eap.conf file eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = /etc/ssl cadir = /etc/ssl private_key_password = xxxxxx private_key_file = ${certdir}/serverkey.pem certificate_file = ${certdir}/servercert.pem CA_file = ${cadir}/cacert.pem dh_file = ${certdir}/dh random_file = ${certdir}/random check_crl = no CA_path = /etc/ssl cipher_list = "DEFAULT" cache { enable = no lifetime = 24 # hours max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } mschapv2 { } } Any idea's what is wrong here? Thanks -------- Original-Nachricht --------
Datum: Thu, 16 Sep 2010 09:54:28 +0200 Von: Alan DeKok <aland@deployingradius.com> An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Betreff: Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote:
Thanks a lot Alan DeKok, do I have any possibility to permit login only persons with username/password and client certificate? All authentications methods works fine on my server, but I´ll only permit login with username/password and client certificate. Which code I need to set in users/eap.conf ? TLS works fine on my server and the users can login themselves with the client certificate, but I don´t want allow login without username/password, also I don´t want allow logins with username and password but without client certificates.
Put this into the "users" file:
DEFAULT EAP-TLS-Require-Client-Cert = yes
This will require client certificates for *all* EAP methods. If you want it to be more specific, see "man unlang" for writing general policies.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome