> Put this into the "users" file:
>
> DEFAULT EAP-TLS-Require-Client-Cert = yes
I did this, but the clients can login furthermore without any client
certificate for example with PEAP or EAP-TTLS. Here is my users file:
DEFAULT EAP-TLS-Require-Client-Cert = yes
testuser Cleartext-Password := "xxxxxxx"
Reply-Message = "Hello, %{User-Name}"
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
Here's the eap.conf file
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = /etc/ssl
cadir = /etc/ssl
private_key_password = xxxxxx
private_key_file = ${certdir}/serverkey.pem
certificate_file = ${certdir}/servercert.pem
CA_file = ${cadir}/cacert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
check_crl = no
CA_path = /etc/ssl
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
Any idea's what is wrong here? Thanks
-------- Original-Nachricht --------
> Datum: Thu, 16 Sep 2010 09:54:28 +0200
> Von: Alan DeKok <al...@deployingradius.com>
> An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
> Betreff: Re: need help - force EAP-TTLS to validate the server certificate
> Klaus Laus wrote:
> > Thanks a lot Alan DeKok, do I have any possibility to permit login only
> persons with username/password and client certificate?
> > All authentications methods works fine on my server, but I´ll only
> permit login with username/password and client certificate. Which code I need
> to set in users/eap.conf ?
> > TLS works fine on my server and the users can login themselves with the
> client certificate, but I don´t want allow login without
> username/password, also I don´t want allow logins with username and password
> but without
> client certificates.
>
> Put this into the "users" file:
>
> DEFAULT EAP-TLS-Require-Client-Cert = yes
>
> This will require client certificates for *all* EAP methods. If you
> want it to be more specific, see "man unlang" for writing general
> policies.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
GRATIS: Spider-Man 1-3 sowie 300 weitere Videos!
Jetzt freischalten! http://portal.gmx.net/de/go/maxdome
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
