How to enable only EAP-TTLS type and not EAP-TLS?

[A.L.M.Buxey at lboro.ac.uk]

Hi,

> That road is painful. What we've come up so far with is supplying 
> pre-configured supplicants (SecureW2) that bring the proper CA certificate 
> along and set the expected CN automatically. It can even be preconfigured to 
> auto-discard any other certificates, which doesn't give the user any 
> opportunity to mess around.
> Of course, that is just pre-setting checkboxes in the supplicant. If a user 
> *really* wants to sacrifice security for getting online cheap and easy on 
> possible fraud networks, he can still toggle the settings manually later and 
> shoot himself in the foot with it.
> 
> For the built-in supplicant in XP/Vista: it generally sucks. There is the 
> new "Wireless Native API" that is supposed to allow scripted auto-setups of 
> 802.1X settings for an SSID, but we haven't tested if that's really 
> practical. If you can find a student to code on that API, please go ahead :-)

we have a similar method - preconfigured setup installer for OpenSEA
(open1x.sf.net) and SecureW2 3.x - both have the required CN etc already
set.  handy for ensuring people have eduroam already configured too ;-)

my main issue with securew2 is that it is really just a windows zero
config supplicant plugin - ie it inherits all the windows supplicant
issues.  the cisco (pre meetinghouse) supplicant is one of the best
(aironet desktop utility) - the meetinghouse client is interesting -
users cannot simply configure the supplicant for EAP networks - an
admin system needs to be used to push settings out.  not handy
for those users with EAP at home :-)

alan