> Put this into the "users" file: > > DEFAULT EAP-TLS-Require-Client-Cert = yes
I did this, but the clients can login furthermore without any client certificate for example with PEAP or EAP-TTLS. Here is my users file: DEFAULT EAP-TLS-Require-Client-Cert = yes testuser Cleartext-Password := "xxxxxxx" Reply-Message = "Hello, %{User-Name}" DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP Here's the eap.conf file eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = /etc/ssl cadir = /etc/ssl private_key_password = xxxxxx private_key_file = ${certdir}/serverkey.pem certificate_file = ${certdir}/servercert.pem CA_file = ${cadir}/cacert.pem dh_file = ${certdir}/dh random_file = ${certdir}/random check_crl = no CA_path = /etc/ssl cipher_list = "DEFAULT" cache { enable = no lifetime = 24 # hours max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } mschapv2 { } } Any idea's what is wrong here? Thanks -------- Original-Nachricht -------- > Datum: Thu, 16 Sep 2010 09:54:28 +0200 > Von: Alan DeKok <al...@deployingradius.com> > An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> > Betreff: Re: need help - force EAP-TTLS to validate the server certificate > Klaus Laus wrote: > > Thanks a lot Alan DeKok, do I have any possibility to permit login only > persons with username/password and client certificate? > > All authentications methods works fine on my server, but I´ll only > permit login with username/password and client certificate. Which code I need > to set in users/eap.conf ? > > TLS works fine on my server and the users can login themselves with the > client certificate, but I don´t want allow login without > username/password, also I don´t want allow logins with username and password > but without > client certificates. > > Put this into the "users" file: > > DEFAULT EAP-TLS-Require-Client-Cert = yes > > This will require client certificates for *all* EAP methods. If you > want it to be more specific, see "man unlang" for writing general > policies. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html