Allow PEAP and TTLS, but reject TLS
I'm using Freeradius 2.1.1. My setup has been successfully authenticating TLS, TTLS, and PEAP for a while. Now I would like to deny TLS in the EAP negotiation, although the users will still have client certificates. I don't know how to reject TLS without breaking PEAP/TTLS. Those methods require the TLS block, which must then have the CA cert to validate the server certificate, and the server continues to use that to validate user certs. Problem: PEAP is my default EAP-type, but the client can nak it and choose EAP-TLS instead. I saw this comment in eap.conf: "If you do not use client certificates, and you do not want to permit EAP-TLS authentication, then delete this configuration item" (referring to CA_file) Unfortunately, this is not literally true. It sounded like a simple way to use the TLS block only to enable PEAP and TTLS, but if the CA cert is in "certificate_file" and the "CA_file" configuration item is deleted, EAP-TLS is still permitted as an authentication method. Note: I have read all the comments in this file, not just the one I quoted. If someone knows a way to do this, I would appreciate the knowledge. I suppose I would be willing to restrict the EAP-type only PEAP (or only TTLS) if that is the only way to reject EAP-TLS. Thank you. -- usawebbox@fastmail.fm -- http://www.fastmail.fm - Faster than the air-speed velocity of an unladen european swallow
I'm using Freeradius 2.1.1. My setup has been successfully authenticating TLS, TTLS, and PEAP for a while. Now I would like to deny TLS in the EAP negotiation, although the users will still have client certificates. I don't know how to reject TLS without breaking PEAP/TTLS.
Revoke the certificates.
Those methods require the TLS block, which must then have the CA cert to validate the server certificate, and the server continues to use that to validate user certs.
Problem: PEAP is my default EAP-type, but the client can nak it and choose EAP-TLS instead.
Remove { ok=return } from eap in authorize. Add this after eap entry: if(EAP-Type == EAP-TLS) { update control { Auth-Type := Reject } } Ivan Kalik Kalik Informatika ISP
participants (2)
-
tnt@kalik.net -
usawebbox@fastmail.fm