How to enable only EAP-TTLS type and not EAP-TLS?
Reimer Karlsen-Masur, DFN-CERT
karlsen-masur at dfn-cert.de
Thu Jan 10 10:25:48 CET 2008
This is definitely more elegant than my suggestion but I found that many
FreeRADIUS admins get confused by the
CA_file
CA_path
options. They think that they need to place the CA chain from *their
FreeRADIUS servers SSL certificate* in the file/directory specified in above
options. But by doing so they most likely implicitly trust these CAs for
client authentication via eap-tls, ie. they enabled EAP-TLS with some set of
trusted CAs that were never intended to authenticate client certs for their
organisation.
Whereas the CA chain of *their FreeRADIUS servers SSL certificate* should be
appended to the server certificate file specified with the
certificate_file
option.
So since specifying an empty CA_file does not work (FreeRADIUS does not
start) the only way for a really clean minimal config that is not allowing
EAP-TLS is to have an empty CA_path directory.
Defining the DEFAULT in the users file like below is a good additional step
to rule all other EAP-Types out.
my 2 cents
Alan DeKok wrote on 09.01.2008 10:55:
> nikitha george wrote:
>> Hi,
>> I want to enable only TTLS authentication and if the client is
>> requesting any other types EAP-TLS or PEAP the authentication should be
>> denied.
>> I am running freeradius-1.1.6, and if try to disable EAP-TLS module the
>> server itself is not starting up.
>> Please let me know if there are any ways to achieve this.
>
> Put this at the top of the "users" file:
>
> DEFAULT EAP-Type != EAP-TTLS, Auth-Type := Reject
--
Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen"
am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5939 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080110/ebdbc0a7/attachment.bin>
More information about the Freeradius-Users
mailing list