Disable PEAP-TLS but allow PEAP
Matthew Newton
mcn4 at leicester.ac.uk
Tue Aug 14 19:21:34 CEST 2012
Hi,
On Tue, Aug 14, 2012 at 04:09:01PM +0100, Phil Mayers wrote:
> On 14/08/12 15:57, Cotton, Jesse wrote:
> >I’ve read several posts about this and none have been helpful.
>
> In the current version of the server, I think this is hard.
As mentioned, comment out CA_file in eap.conf.
To reinforce it, you can add
if (EAP-Type == "EAP-TLS") {
reject
}
after 'eap' in the authorize section of your outer server (likely
default), or add something like
DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject
to your users file.
> It may be easier in the HEAD / 3.0 code.
It is -
In 3.0, EAP-TLS has be separated from PEAP and EAP-TTLS. So you
can update the TLS configuration in mods-enabled/eap to the new
tls-config format, and then just comment out the tls {} section.
(So, in the default 3.0 config, just comment out the tls{}
section.)
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list