[EMAIL PROTECTED] wrote: > When TLS is empty (i.e. TLS {}): Huh? Why would you leave it empty?
If you're not going to use TLS, delete the whole section. It's just like any other module. > When TLS is removed: > > rlm_eap: Unable to load EAP-Type/ttls, as EAP-Type/TLS is required > first. If you're not going to use TTLS, delete that section, too. > Or, if TTLS is also removed: > > rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required > first. > > This makes sense, as I'll need my server cert for PEAP. If those certs > have to be defined in the TLS block, what is the right way to disable > TLS in this case, but still have PEAP working? Don't issue client certificates. EAP-TLS won't work. > I tried deleting the > CA_file, so I wouldn't be able to verify user certs, but it's required. > Anyway, I don't want to offer TLS and fail it, I want to NAK it on > server2. This is explained in the comments in eap.conf, above the "ttls" and "peap" sections. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html