How to enable only EAP-TTLS type and not EAP-TLS?

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Thu Jan 10 10:25:48 CET 2008


This is definitely more elegant than my suggestion but I found that many
FreeRADIUS admins get confused by the

CA_file
CA_path

options. They think that they need to place the CA chain from *their
FreeRADIUS servers SSL certificate* in the file/directory specified in above
options. But by doing so they most likely implicitly trust these CAs for
client authentication via eap-tls, ie. they enabled EAP-TLS with some set of
trusted CAs that were never intended to authenticate client certs for their
organisation.

Whereas the CA chain of *their FreeRADIUS servers SSL certificate* should be
appended to the server certificate file specified with the

certificate_file

option.

So since specifying an empty CA_file does not work (FreeRADIUS does not
start) the only way for a really clean minimal config that is not allowing
EAP-TLS is to have an empty CA_path directory.

Defining the DEFAULT in the users file like below is a good additional step
to rule all other EAP-Types out.

my 2 cents

Alan DeKok wrote on 09.01.2008 10:55:
> nikitha george wrote:
>> Hi,
>> I want to enable only TTLS authentication and if the client is
>> requesting any other types EAP-TLS or PEAP the authentication should be
>> denied.
>> I am running freeradius-1.1.6, and if try to disable EAP-TLS module the
>> server itself is not starting up.
>> Please let me know if there are any ways to achieve this.
> 
>   Put this at the top of the "users" file:
> 
> DEFAULT EAP-Type != EAP-TTLS, Auth-Type := Reject

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki

15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen"
am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team),   Phone   +49 40 808077-615

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstr. 5,   20097 Hamburg/Germany,   CEO: Dr. Klaus-Peter Kossakowski
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5939 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080110/ebdbc0a7/attachment.bin>


More information about the Freeradius-Users mailing list