Allow PEAP and TTLS, but reject TLS
usawebbox at fastmail.fm
usawebbox at fastmail.fm
Fri Mar 20 22:46:08 CET 2009
I'm using Freeradius 2.1.1. My setup has been successfully
authenticating TLS, TTLS, and PEAP for a while. Now I would like to deny
TLS in the EAP negotiation, although the users will still have client
certificates. I don't know how to reject TLS without breaking PEAP/TTLS.
Those methods require the TLS block, which must then have the CA cert to
validate the server certificate, and the server continues to use that to
validate user certs.
Problem: PEAP is my default EAP-type, but the client can nak it and
choose EAP-TLS instead.
I saw this comment in eap.conf:
"If you do not use client certificates, and you do not want to permit
EAP-TLS
authentication, then delete this configuration item" (referring to
CA_file)
Unfortunately, this is not literally true. It sounded like a simple way
to use the TLS block only to enable PEAP and TTLS, but if the CA cert is
in "certificate_file" and the "CA_file" configuration item is deleted,
EAP-TLS is still permitted as an authentication method.
Note: I have read all the comments in this file, not just the one I
quoted.
If someone knows a way to do this, I would appreciate the knowledge. I
suppose I would be willing to restrict the EAP-type only PEAP (or only
TTLS) if that is the only way to reject EAP-TLS. Thank you.
--
usawebbox at fastmail.fm
--
http://www.fastmail.fm - Faster than the air-speed velocity of an
unladen european swallow
More information about the Freeradius-Users
mailing list