>> rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required >> first. >> >> This makes sense, as I'll need my server cert for PEAP. If those certs >> have to be defined in the TLS block, what is the right way to disable >> TLS in this case, but still have PEAP working? > > Don't issue client certificates. EAP-TLS won't work. > Alrighty then.
>> I tried deleting the >> CA_file, so I wouldn't be able to verify user certs, but it's required. >> Anyway, I don't want to offer TLS and fail it, I want to NAK it on >> server2. > > This is explained in the comments in eap.conf, above the "ttls" and >"peap" sections. > > Alan DeKok. I did read that, but I was trying to reject TLS. It also says, "If you do not use client certificates, and you do not want to permit EAP-TLS authentication, then delete this configuration item", referring to CA_file. I just want to point out that it appears you can't actually delete that, although it would have been an intuitive way to deny EAP-TLS. Hopefully, that was the original intent. -- [EMAIL PROTECTED] -- http://www.fastmail.fm - And now for something completely differentÂ… - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html