We need to use a public certificate for PEAP b/c the majority of our clients are not on our domain. However I do not want to allow EAP-TLS with any cert signed by the 3rd party CA. Is it possible to prevent PEAP-TLS with a cert but allow PEAP? If so, what config options do I need to add and where? I've read several posts about this and none have been helpful. Jesse
On 14/08/12 15:57, Cotton, Jesse wrote:
We need to use a public certificate for PEAP b/c the majority of our clients are not on our domain. However I do not want to allow EAP-TLS with any cert signed by the 3^rd party CA. Is it possible to prevent PEAP-TLS with a cert but allow PEAP? If so, what config options do I need to add and where?
It is EAP-TLS. NOT PEAP-TLS.
I’ve read several posts about this and none have been helpful.
In the current version of the server, I think this is hard. It may be easier in the HEAD / 3.0 code.
That was a typo. I meant EAP-TLS. Thanks for the quick reply. -----Original Message----- From: freeradius-users-bounces+jesse.cotton=stockton.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jesse.cotton=stockton.edu@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Tuesday, August 14, 2012 11:09 AM To: freeradius-users@lists.freeradius.org Subject: Re: Disable PEAP-TLS but allow PEAP On 14/08/12 15:57, Cotton, Jesse wrote:
We need to use a public certificate for PEAP b/c the majority of our clients are not on our domain. However I do not want to allow EAP-TLS with any cert signed by the 3^rd party CA. Is it possible to prevent PEAP-TLS with a cert but allow PEAP? If so, what config options do I need to add and where?
It is EAP-TLS. NOT PEAP-TLS.
I've read several posts about this and none have been helpful.
In the current version of the server, I think this is hard. It may be easier in the HEAD / 3.0 code. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
That was a typo. I meant EAP-TLS.
this is easy to fix. concatenate your RADIUS server and CA (and any intermediates) into one file. call that file in the certificate_file = line then comment out CA_file = this is clearly documented: # This parameter is used only for EAP-TLS, # when you issue client certificates. If you do # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item.
Thanks alan. I tried that at some point but FR threw an error about the cert not matching the private key. Tried again and switched the order of the certs so the server cert is the first in the file and works like a champ. -----Original Message----- From: freeradius-users-bounces+jesse.cotton=stockton.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jesse.cotton=stockton.edu@lists.freeradius.org] On Behalf Of alan buxey Sent: Tuesday, August 14, 2012 11:38 AM To: FreeRadius users mailing list Subject: Re: Disable PEAP-TLS but allow PEAP Hi,
That was a typo. I meant EAP-TLS.
this is easy to fix. concatenate your RADIUS server and CA (and any intermediates) into one file. call that file in the certificate_file = line then comment out CA_file = this is clearly documented: # This parameter is used only for EAP-TLS, # when you issue client certificates. If you do # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, On Tue, Aug 14, 2012 at 04:09:01PM +0100, Phil Mayers wrote:
On 14/08/12 15:57, Cotton, Jesse wrote:
I’ve read several posts about this and none have been helpful.
In the current version of the server, I think this is hard.
As mentioned, comment out CA_file in eap.conf. To reinforce it, you can add if (EAP-Type == "EAP-TLS") { reject } after 'eap' in the authorize section of your outer server (likely default), or add something like DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject to your users file.
It may be easier in the HEAD / 3.0 code.
It is - In 3.0, EAP-TLS has be separated from PEAP and EAP-TTLS. So you can update the TLS configuration in mods-enabled/eap to the new tls-config format, and then just comment out the tls {} section. (So, in the default 3.0 config, just comment out the tls{} section.) Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Cotton, Jesse wrote:
We need to use a public certificate for PEAP b/c the majority of our clients are not on our domain. However I do not want to allow EAP-TLS with any cert signed by the 3^rd party CA. Is it possible to prevent PEAP-TLS with a cert but allow PEAP? If so, what config options do I need to add and where?
You need to read raddb/sites-available/inner-tunnel. You should look for EAP-TLS in the inner tunnel, and reject it. Alan DeKok.
participants (5)
-
alan buxey -
Alan DeKok -
Cotton, Jesse -
Matthew Newton -
Phil Mayers