Disabling EAP-TLS while keeping EAP-PEAP
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 When enabling EAP-PEAP with FreeRADIUS, module EAP-TLS is required. How can I disable EAP-TLS while using EAP-PEAP? I agree that if the client does not have a client key, EAP-TLS will not work. But how to restrict EAP-TLS in any case? Thanks! - -- ============== +---------------------------------------------+ Martin Gadbois | "Please answer by yes or no. | Sr. SW Designer | Uncooperative user waste precious CPU time" | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGYGSw9Y3/iTTCEDkRAiawAJ9hANUDvgjJTDDwAfiQkDR/NUKH1ACghRNW O1DdJnCymFB8hsiiIUMc9Ks= =1OR5 -----END PGP SIGNATURE-----
By not issuing client certificates. Ivan Kalik Kalik Informatika ISP Dana 1/6/2007, "Martin Gadbois" <martin.gadbois@colubris.com> piše:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
When enabling EAP-PEAP with FreeRADIUS, module EAP-TLS is required.
How can I disable EAP-TLS while using EAP-PEAP?
I agree that if the client does not have a client key, EAP-TLS will not work. But how to restrict EAP-TLS in any case?
Thanks!
- -- ============== +---------------------------------------------+ Martin Gadbois | "Please answer by yes or no. | Sr. SW Designer | Uncooperative user waste precious CPU time" | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGYGSw9Y3/iTTCEDkRAiawAJ9hANUDvgjJTDDwAfiQkDR/NUKH1ACghRNW O1DdJnCymFB8hsiiIUMc9Ks= =1OR5 -----END PGP SIGNATURE----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 tnt@kalik.co.yu wrote:
By not issuing client certificates.
While I covered this solution in my initial posting, what if a certificate was issued, no CRL possible and I want to disable EAP-TLS but keep EAP-PEAP? - -- ============== +---------------------------------------------+ Martin Gadbois | "Please answer by yes or no. | Sr. SW Designer | Uncooperative user waste precious CPU time" | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGYICA9Y3/iTTCEDkRAoUVAJ9AkEcaJz1982XRsby3LIU6XCDAhwCfSOqN 3w+xIMoyhuEnPElmiJi6bCU= =ZqwT -----END PGP SIGNATURE-----
Martin Gadbois wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
When enabling EAP-PEAP with FreeRADIUS, module EAP-TLS is required.
How can I disable EAP-TLS while using EAP-PEAP?
Just curious.. why would you want to? You could try this in "users": DEFAULT EAP-Type == EAP-Type-TLS, Auth-Type := Reject ...but that'll almost certainly break the "negotiate mechanism" bit of EAP. However if you specify the default eap type as PEAP and the client rejects that then chooses TLS which you want to stop, rejecting them is probably not much of a loss.
hi, i have configured my freeradius as proxy, and i have used in fisrt eap type md5! now i want to use it with eap-peap and use active directory in windows server 2003! my application must be use the authentication which start windows session on a domain server in active directory to authenticate users on the network! i need configuration of eap.conf _________________________________________________________________ MSN Messenger: appels gratuits de PC à PC ! http://www.msn.fr/newhotmail/Default.asp?Ath=f
Hi! By commenting the CA_file parameter in the eap->tls section: # CA_file = ${raddbdir}/certs/trusted-ca-cert-list.pem *and* by setting CA_path parameter in the eap->tls section to an *empty* directory CA_path = ${raddbdir}/certs/trustedCAs should do the trick. No trusted CAs mean no trusted client certificates :-) Martin Gadbois wrote:
When enabling EAP-PEAP with FreeRADIUS, module EAP-TLS is required.
How can I disable EAP-TLS while using EAP-PEAP?
I agree that if the client does not have a client key, EAP-TLS will not work. But how to restrict EAP-TLS in any case?
-- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reimer Karlsen-Masur, DFN-CERT wrote:
Hi!
By commenting the CA_file parameter in the eap->tls section:
# CA_file = ${raddbdir}/certs/trusted-ca-cert-list.pem
*and*
by setting CA_path parameter in the eap->tls section to an *empty* directory
CA_path = ${raddbdir}/certs/trustedCAs
should do the trick.
No trusted CAs mean no trusted client certificates :-)
Clever! Thanks! - -- ============== +---------------------------------------------+ Martin Gadbois | "Please answer by yes or no. | Sr. SW Designer | Uncooperative user waste precious CPU time" | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGdnyD9Y3/iTTCEDkRApsHAJ4lbCBVKyd7abo3iwPax7p5o6mJmQCgtSnh XxxNtA3ZkZ1SSz+ulLYKiyo= =IZ66 -----END PGP SIGNATURE-----
participants (5)
-
Martin Gadbois -
parfait kouassi nda -
Phil Mayers -
Reimer Karlsen-Masur, DFN-CERT -
tnt@kalik.co.yu