Riccardo Veraldi wrote:
I think there is a cleaner way.
I enabled only EAP-TTLS and disabled EAP-TLS just puttting this lin in /etc/radddb/users

DEFAULT        EAP-Type == EAP-TLS, Auth-Type := Reject

It works, I think Alan gave me this hint 1 year ago, maybe it could be put in the FAQ
since it is an interesting way to solve the problem.
Don't you want

DEFAULT        EAP-Type != EAP-TTLS, Auth-Type := Reject

or in unlang

if("%{EAP-Type}" != 'EAP-TTLS'){
   reject
}

Rick

Reimer Karlsen-Masur, DFN-CERT ha scritto:
Hi,

nikitha george wrote on 09.01.2008 10:04:
Hi,
I want to enable only TTLS authentication and if the client is
requesting any other types EAP-TLS or PEAP the authentication should be
denied.

within the eap section you must configure the tls and the ttls section.
Delete the peap section.

I am running freeradius-1.1.6, and if try to disable EAP-TLS module the
server itself is not starting up.
Please let me know if there are any ways to achieve this.

Then to disable the eap-tls functionality you must create an *empty*
directory  e.g. ${raddbdir}/certs/trustedCAsForRoamingClients/ and then
within the tls section define

CA_path = ${raddbdir}/certs/trustedCAsForRoamingClients/

Also you must remove the definition of the parameter

CA_file =

This way you don't have any accepted CAs in your config that are trusted CAs
for issued client certificates for eap-tls authentication

Make sure though that you put the radius server certificate and its CA chain including the root CA certificate in PEM format into the file specified with
the

certificate_file

option in the tls section.

HTH

------------------------------------------------------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to