I think there is a cleaner way.
I enabled only EAP-TTLS and disabled EAP-TLS just puttting this lin in
/etc/radddb/users
DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject
It works, I think Alan gave me this hint 1 year ago, maybe it could be
put in the FAQ
since it is an interesting way to solve the problem.
Rick
Reimer Karlsen-Masur, DFN-CERT ha scritto:
Hi,
nikitha george wrote on 09.01.2008 10:04:
Hi,
I want to enable only TTLS authentication and if the client is
requesting any other types EAP-TLS or PEAP the authentication should be
denied.
within the eap section you must configure the tls and the ttls section.
Delete the peap section.
I am running freeradius-1.1.6, and if try to disable EAP-TLS module the
server itself is not starting up.
Please let me know if there are any ways to achieve this.
Then to disable the eap-tls functionality you must create an *empty*
directory e.g. ${raddbdir}/certs/trustedCAsForRoamingClients/ and then
within the tls section define
CA_path = ${raddbdir}/certs/trustedCAsForRoamingClients/
Also you must remove the definition of the parameter
CA_file =
This way you don't have any accepted CAs in your config that are trusted CAs
for issued client certificates for eap-tls authentication
Make sure though that you put the radius server certificate and its CA chain
including the root CA certificate in PEM format into the file specified with
the
certificate_file
option in the tls section.
HTH
------------------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
