How to enable only EAP-TTLS type and not EAP-TLS?

[Reimer Karlsen-Masur, DFN-CERT]

Hi,

nikitha george wrote on 09.01.2008 10:04:
> Hi,
> I want to enable only TTLS authentication and if the client is
> requesting any other types EAP-TLS or PEAP the authentication should be
> denied.

within the eap section you must configure the tls and the ttls section.
Delete the peap section.

> I am running freeradius-1.1.6, and if try to disable EAP-TLS module the
> server itself is not starting up.
> Please let me know if there are any ways to achieve this.

Then to disable the eap-tls functionality you must create an *empty*
directory  e.g. ${raddbdir}/certs/trustedCAsForRoamingClients/ and then
within the tls section define

CA_path = ${raddbdir}/certs/trustedCAsForRoamingClients/

Also you must remove the definition of the parameter

CA_file =

This way you don't have any accepted CAs in your config that are trusted CAs
for issued client certificates for eap-tls authentication

Make sure though that you put the radius server certificate and its CA chain
including the root CA certificate in PEM format into the file specified with
the

certificate_file

option in the tls section.

HTH

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki

15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen"
am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team),   Phone   +49 40 808077-615

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstr. 5,   20097 Hamburg/Germany,   CEO: Dr. Klaus-Peter Kossakowski
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5939 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080109/6595fe07/attachment.bin>