I'm using Freeradius 2.1.1. My setup has been successfully authenticating TLS, TTLS, and PEAP for a while. Now I would like to deny TLS in the EAP negotiation, although the users will still have client certificates. I don't know how to reject TLS without breaking PEAP/TTLS. Those methods require the TLS block, which must then have the CA cert to validate the server certificate, and the server continues to use that to validate user certs.
Problem: PEAP is my default EAP-type, but the client can nak it and choose EAP-TLS instead. I saw this comment in eap.conf: "If you do not use client certificates, and you do not want to permit EAP-TLS authentication, then delete this configuration item" (referring to CA_file) Unfortunately, this is not literally true. It sounded like a simple way to use the TLS block only to enable PEAP and TTLS, but if the CA cert is in "certificate_file" and the "CA_file" configuration item is deleted, EAP-TLS is still permitted as an authentication method. Note: I have read all the comments in this file, not just the one I quoted. If someone knows a way to do this, I would appreciate the knowledge. I suppose I would be willing to restrict the EAP-type only PEAP (or only TTLS) if that is the only way to reject EAP-TLS. Thank you. -- usaweb...@fastmail.fm -- http://www.fastmail.fm - Faster than the air-speed velocity of an unladen european swallow - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html