Holger Schurig <[EMAIL PROTECTED]> wrote:
> I thought TLS is where both the server and the clients have certificates.
> And TTLS is where only the client has a certificate (of the server).
Yes. If you're unsure, read the RFC's. They're included with the
server.
> Therefore, TTLS and PEAP need only a subset of TLS, right?
No. They need the entire TLS protocol.
> Now, when I enable TTLS (and TLS because I need it) in radiusd.conf, then
> some client can try to authenticate/authorize with TLS. It's on, isn't it?
Yes. You can turn it off. See the EAP-Type attribute.
> And the client doesn't get back something like "protocol not supported",
> but "negative authentification".
You don't understand how RADIUS works. And it's "authentication".,
not "authentification".
RADIUS returns Access-Reject, not "protocol unsupported". And the
wireless client doesn't even see that.
> So I would have thought that this is possible and makes sense:
>
> # tls {
> # ...
> #}
>
> ttls {
> certificate_file = ${prefix}/ca/cert-srv.pem
> }
What what about the rest of the configuration options in the TLS
module? Are you going to just throw those away? They exist for a
reason, you know...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
