Use this:

eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no

# Supported EAP-types
# EAP-TLS
tls {
private_key_password = xxxxxxxxxxxxxxxxx
private_key_file = ${raddbdir}/certs/freeradius_key.pem
certificate_file = ${raddbdir}/certs/freeradius_cert.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024

include_length = yes
}

peap {
default_eap_type = mschapv2
proxy_tunneled_request_as_eap = no
}

#tls {
#private_key_password = xxxxxxxxxxxxxxxxxxxxx
#private_key_file = ${raddbdir}/certs/freeradius_key.pem
#certificate_file = ${raddbdir}/certs/freeradius_cert.pem
#CA_file = ${raddbdir}/certs/demoCA/cacert.pem
#dh_file = ${raddbdir}/certs/dh
#random_file = ${raddbdir}/certs/random
#fragment_size = 1024
#include_length = yes
#}

mschapv2 {
}
} 
==================================================

Benjamin K. Eshun

----- Message d'origine ----
De : Marcelo Augusto Rodrigues Pimentel <[EMAIL PROTECTED]>
À : freeradius-users@lists.freeradius.org
Envoyé le : Mardi, 24 Avril 2007, 20h36mn 17s
Objet : RES: Re: RES: Re: PEAP/EAP-TLS with client and server certificate



Marcelo Augusto Rodrigues Pimentel wrote:
> OK. But I?m trying to use peap to make an encrypted tunnel validating the 
> server certificate and then I want to authenticate the clients whith EAP-TLS 
> using client/server certificate. The TLS tunnel is working fine, but the 
> second part of EAP-TLS authentication not.

>  What second part of EAP-TLS?  The server supports authenticating via
client certificates, and nothing else.


I said two parts, because those parts of my configuration uses TLS:

The first part is making the encrypt tunnel using PEAP --> Only validates 
server certificate to create the tunnel.

The second part is the authenticathion inner the tunnel with EAP-TLS --> Mutual 
validation of client and server certificate.

This configuration is like Geroge Ou said below:
...
PEAP-EAP-TLS is an improved version of the original EAP-TLS protocol that goes 
further to encrypt client digital certificate information.  Both PEAP-EAP-TLS 
and EAP-TLS have the same server and client side digital certificate 
requirements.
...

Reference: Wireless LAN security guide --> Level 3: Medium to large Enterprise 
WLAN security" http://www.lanarchitect.net/Articles/Wireless/SecurityRating/


Thank´s !


> So .... in the peap section in the eap.conf, what I?ve to configure for 
> default eap type? Is tls ?

>  No.  You can leave it alone.  It's fine.

> If I configure tls, I?ve to create a tls section in the peap section or the 
> tls section of the eap.conf is enough. I?ve attached my eap.conf file.

> If you want to use just TLS, you don't need the PEAP section.  If you
want to use PEAP, you need the TLS section.  The comments in the
"eap.conf" file explain this.





"Mensagem protegida por sigilo profissional. Sua utilização indevida sujeita o 
infrator às penas da lei. Não sendo seu destinatário, por favor, elimine-a e 
informe o equívoco ao emitente."

"This e-mail message and any attachment are intended exclusively for the named 
addressee. They may contain confidential information which may also be 
protected by professional secrecy. Unless you are the named addressee (or 
authorised to receive for the addressee) you may not copy or use this message 
or any attachment or disclose the contents to anyone else. If this e-mail was 
sent to you by mistake please notify the sender immediately and delete this 
e-mail."

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html







      
___________________________________________________________________________ 
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! 
Profitez des connaissances, des opinions et des expériences des internautes sur 
Yahoo! Questions/Réponses 
http://fr.answers.yahoo.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to