Riccardo Veraldi wrote:
I think there is a cleaner way.
I enabled only EAP-TTLS and disabled EAP-TLS just puttting this lin in
/etc/radddb/users
DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject
It works, I think Alan gave me this hint 1 year ago, maybe it could be
put in the FAQ
since it is an interesting way to solve the problem.
Don't you want
DEFAULT EAP-Type != EAP-TTLS, Auth-Type := Reject
or in unlang
if("%{EAP-Type}" != 'EAP-TTLS'){
reject
}
Rick
Reimer Karlsen-Masur, DFN-CERT ha scritto:
Hi,
nikitha george wrote on 09.01.2008 10:04:
Hi,
I want to enable only TTLS authentication and if the client is
requesting any other types EAP-TLS or PEAP the authentication should be
denied.
within the eap section you must configure the tls and the ttls section.
Delete the peap section.
I am running freeradius-1.1.6, and if try to disable EAP-TLS module the
server itself is not starting up.
Please let me know if there are any ways to achieve this.
Then to disable the eap-tls functionality you must create an *empty*
directory e.g. ${raddbdir}/certs/trustedCAsForRoamingClients/ and then
within the tls section define
CA_path = ${raddbdir}/certs/trustedCAsForRoamingClients/
Also you must remove the definition of the parameter
CA_file =
This way you don't have any accepted CAs in your config that are
trusted CAs
for issued client certificates for eap-tls authentication
Make sure though that you put the radius server certificate and its
CA chain
including the root CA certificate in PEM format into the file
specified with
the
certificate_file
option in the tls section.
HTH
------------------------------------------------------------------------
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html