How to enable only EAP-TTLS type and not EAP-TLS?
Alan DeKok
aland at deployingradius.com
Thu Jan 10 11:26:55 CET 2008
Reimer Karlsen-Masur, DFN-CERT wrote:
> This is definitely more elegant than my suggestion but I found that many
> FreeRADIUS admins get confused by the
>
> CA_file
> CA_path
>
> options. They think that they need to place the CA chain from *their
> FreeRADIUS servers SSL certificate* in the file/directory specified in above
> options.
I've added some comments in eap.cnf && raddb/certs/README explaining
more about these issues.
> But by doing so they most likely implicitly trust these CAs for
> client authentication via eap-tls, ie. they enabled EAP-TLS with some set of
> trusted CAs that were never intended to authenticate client certs for their
> organisation.
That's the whole purpose of CA_file, to be honest.
> Whereas the CA chain of *their FreeRADIUS servers SSL certificate* should be
> appended to the server certificate file specified with the
>
> certificate_file
>
> option.
That is another way of doing it.
> So since specifying an empty CA_file does not work (FreeRADIUS does not
> start) the only way for a really clean minimal config that is not allowing
> EAP-TLS is to have an empty CA_path directory.
That sounds reasonable. I've updated the code to permit CA_file to be
empty, and added comments in eap.conf && raddb/certs/README about this.
Alan DeKok.
More information about the Freeradius-Users
mailing list