can peap and ttls live together?
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Tue Apr 29 14:51:48 CEST 2008
Sergio Belkin wrote:
> Hi,
>
> I had been using EAP-TTLS, but I've commented in an earlier post, I
> have no luck with securew2 and Vista. So I am planning use a
> "secondary password" for radius in clear-text. But I'd want to know if
> TTLS and PEAP can live together, my current eap.conf is as follow:
>
> eap {
> default_eap_type = ttls
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> md5 {
> }
> leap {
> }
> gtc {
> auth_type = PAP
> }
> tls {
> private_key_file =
> /etc/pki/tls/certs/ips-spectrum-key.pem
> certificate_file =
> /etc/pki/tls/certs/ips-spectrum-crt.pem
> CA_file = /etc/pki/tls/certs/ips-ca-bundle.crt
> dh_file = ${raddbdir}/certs/dh
> random_file = ${raddbdir}/certs/random
> cipher_list = "DEFAULT"
> }
> ttls {
> default_eap_type = md5
> copy_request_to_tunnel = no
> use_tunneled_reply = yes
> }
> peap {
> default_eap_type = mschapv2
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> }
> mschapv2 {
> }
> }
>
>
>
Yes. If the supplicant doesn't support TTLS it'll NAK the offer of
EAP-TTLS and request PEAP. Default EAP type specifies the EAP type the
server initially attempts to negotiate with the supplicant.
--
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
More information about the Freeradius-Users
mailing list