This is definitely more elegant than my suggestion but I found that many FreeRADIUS admins get confused by the
CA_file CA_path options. They think that they need to place the CA chain from *their FreeRADIUS servers SSL certificate* in the file/directory specified in above options. But by doing so they most likely implicitly trust these CAs for client authentication via eap-tls, ie. they enabled EAP-TLS with some set of trusted CAs that were never intended to authenticate client certs for their organisation. Whereas the CA chain of *their FreeRADIUS servers SSL certificate* should be appended to the server certificate file specified with the certificate_file option. So since specifying an empty CA_file does not work (FreeRADIUS does not start) the only way for a really clean minimal config that is not allowing EAP-TLS is to have an empty CA_path directory. Defining the DEFAULT in the users file like below is a good additional step to rule all other EAP-Types out. my 2 cents Alan DeKok wrote on 09.01.2008 10:55: > nikitha george wrote: >> Hi, >> I want to enable only TTLS authentication and if the client is >> requesting any other types EAP-TLS or PEAP the authentication should be >> denied. >> I am running freeradius-1.1.6, and if try to disable EAP-TLS module the >> server itself is not starting up. >> Please let me know if there are any ways to achieve this. > > Put this at the top of the "users" file: > > DEFAULT EAP-Type != EAP-TTLS, Auth-Type := Reject -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen" am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
smime.p7s
Description: S/MIME Cryptographic Signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html