How to enable only EAP-TTLS type and not EAP-TLS?

Riccardo Veraldi Riccardo.Veraldi at cnaf.infn.it
Wed Jan 9 10:50:20 CET 2008 

Yes this is much better, but anyway I had disabled PEAP in eap.conf.

thanks

Rick

Arran Cudbard-Bell ha scritto:
> Riccardo Veraldi wrote:
>> I think there is a cleaner way.
>> I enabled only EAP-TTLS and disabled EAP-TLS just puttting this lin 
>> in /etc/radddb/users
>>
>> DEFAULT        EAP-Type == EAP-TLS, Auth-Type := Reject
>>
>> It works, I think Alan gave me this hint 1 year ago, maybe it could 
>> be put in the FAQ
>> since it is an interesting way to solve the problem.
> Don't you want
>
> DEFAULT        EAP-Type != EAP-TTLS, Auth-Type := Reject
>
> or in unlang
>
> if("%{EAP-Type}" != 'EAP-TTLS'){
>    reject
> }
>>
>> Rick
>>
>> Reimer Karlsen-Masur, DFN-CERT ha scritto:
>>> Hi,
>>>
>>> nikitha george wrote on 09.01.2008 10:04:
>>>  
>>>> Hi,
>>>> I want to enable only TTLS authentication and if the client is
>>>> requesting any other types EAP-TLS or PEAP the authentication 
>>>> should be
>>>> denied.
>>>>     
>>>
>>> within the eap section you must configure the tls and the ttls section.
>>> Delete the peap section.
>>>
>>>  
>>>> I am running freeradius-1.1.6, and if try to disable EAP-TLS module 
>>>> the
>>>> server itself is not starting up.
>>>> Please let me know if there are any ways to achieve this.
>>>>     
>>>
>>> Then to disable the eap-tls functionality you must create an *empty*
>>> directory  e.g. ${raddbdir}/certs/trustedCAsForRoamingClients/ and then
>>> within the tls section define
>>>
>>> CA_path = ${raddbdir}/certs/trustedCAsForRoamingClients/
>>>
>>> Also you must remove the definition of the parameter
>>>
>>> CA_file =
>>>
>>> This way you don't have any accepted CAs in your config that are 
>>> trusted CAs
>>> for issued client certificates for eap-tls authentication
>>>
>>> Make sure though that you put the radius server certificate and its 
>>> CA chain
>>> including the root CA certificate in PEM format into the file 
>>> specified with
>>> the
>>>
>>> certificate_file
>>>
>>> option in the tls section.
>>>
>>> HTH
>>>
>>>   
>>> ------------------------------------------------------------------------ 
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See 
>>> http://www.freeradius.org/list/users.html
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>
>

More information about the Freeradius-Users mailing list