>I'm using Freeradius 2.1.1. My setup has been successfully >authenticating TLS, TTLS, and PEAP for a while. Now I would like to deny >TLS in the EAP negotiation, although the users will still have client >certificates. I don't know how to reject TLS without breaking PEAP/TTLS.
Revoke the certificates. >Those methods require the TLS block, which must then have the CA cert to >validate the server certificate, and the server continues to use that to >validate user certs. > >Problem: PEAP is my default EAP-type, but the client can nak it and >choose EAP-TLS instead. > Remove { ok=return } from eap in authorize. Add this after eap entry: if(EAP-Type == EAP-TLS) { update control { Auth-Type := Reject } } Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html