Definite Auth-Type via SQL-DB
Dear list. I'm using freeradius 2.2.5 on Debian-Jessie. I would like to limit the accepted authentication types to TTLS-PAP, as I'm using SHA1-PWs stored in a MySQL-DB. As described on http://deployingradius.com/documents/configuration/auth_type.html using `Auth-Type' in sites-available/inner-tunnel or default to generally reject mschap and chap is not recommended. Instead an entry in the users file (or radcheck table) should be used. The problem is for me, that the example describes the acception of MSCHAP only, but I didn't succeed in adapting it for accepting PAP only. How is this possible to reject any authentication attempt except PAP? For advanced: How generally switch of PEAP? Many thanks in advance and best regards Jens
Hi,
For advanced: How generally switch of PEAP?
if you dont want your server to do PEAP , then remove it from the EAP config.... however, how are you dealing with clients - as most still dont do EAP-TTLS/PAP (and if doing EAP-TTLS/PAP you cannot ensure that the client is correctly, securely configured - which for a PAP mathod is pretty much essential). alan
Many thanks for your answer.
if you dont want your server to do PEAP , then remove it from the EAP config....
I did, but now I'm receiving errors when running the server with the -X option: Certificate Compatibility.
however, how are you dealing with clients - as most still dont do EAP-TTLS/PAP (and if doing EAP-TTLS/PAP you cannot ensure that the client is correctly, securely configured - which for a PAP mathod is pretty much essential).
What do you mean with "dealing with clients"? Is there any client config error which may cause sending the password not inside the TLS-Tunnel? And what do you mean with client: The NAS or the dial up client? But also using a CHAP-Password would then not lead to an improved security when sending it not via the encrypted tunnel, does it? Many thanks and best regards Jens
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
dump@gmx.info