Allow PEAP and TTLS, but reject TLS
tnt at kalik.net
tnt at kalik.net
Sat Mar 21 11:39:34 CET 2009
>I'm using Freeradius 2.1.1. My setup has been successfully
>authenticating TLS, TTLS, and PEAP for a while. Now I would like to deny
>TLS in the EAP negotiation, although the users will still have client
>certificates. I don't know how to reject TLS without breaking PEAP/TTLS.
Revoke the certificates.
>Those methods require the TLS block, which must then have the CA cert to
>validate the server certificate, and the server continues to use that to
>validate user certs.
>
>Problem: PEAP is my default EAP-type, but the client can nak it and
>choose EAP-TLS instead.
>
Remove { ok=return } from eap in authorize. Add this after eap entry:
if(EAP-Type == EAP-TLS) {
update control {
Auth-Type := Reject
}
}
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list