Hello, Just a question about the section "tls-config tls-common" of the module eap file. Do both attributes ca_file and ca_path permit to verify a client certificate in an EAP-TLS authentication ? And so, if we do NOT want to permit EAP-TLS authentication, we have to : - comment out the attributes ca_file AND ca_path - concatenate the server certificate and the CA certificate (as explained in comments) This setup should allow to establish TLS tunnel for other EAP method (TTLS, PEAP) but refuse an EAP-TLS request. Is it correct ? our am I wrong ? Regards, -- Jérôme BERTHIER
On Fri, 2017-11-24 at 11:58 +0100, Jérôme BERTHIER wrote:
And so, if we do NOT want to permit EAP-TLS authentication, we have to :
- comment out the attributes ca_file AND ca_path
- concatenate the server certificate and the CA certificate (as explained in comments)
To disable EAP-TLS, just comment out the entire tls{} section in mods- available/eap. You can comment out the CA options in tls-common as well if you want, but it should not be necessary. -- Matthew
Le 24/11/2017 à 12:46, Matthew Newton a écrit :
On Fri, 2017-11-24 at 11:58 +0100, Jérôme BERTHIER wrote:
And so, if we do NOT want to permit EAP-TLS authentication, we have to :
- comment out the attributes ca_file AND ca_path
- concatenate the server certificate and the CA certificate (as explained in comments) To disable EAP-TLS, just comment out the entire tls{} section in mods- available/eap.
You can comment out the CA options in tls-common as well if you want, but it should not be necessary.
Sorry I was confused about old setup from Freeradius 1.x when the tls section was mandatory for TTLS and PEAP. Now, to do TTLS and PEAP without tls, I note that we just have to : - setup the section tls-config tls-common {} where we can as well use ca_file or ca_path or concatenate server and CA certificate. - disable the section tls {} Thanks you for your answer Regards, -- Jérôme BERTHIER
participants (2)
-
Jérôme BERTHIER -
Matthew Newton