Re : Disabling EAP-TLS while keeping EAP-PEAP
sounds interesting can you post your tls section config == - Message d'origine De : Reimer Karlsen-Masur, DFN-CERT [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Lundi, 18 Juin 2007, 11h09mn 31s Objet : Re: Disabling EAP-TLS while keeping EAP-PEAP Hi! By commenting the CA_file parameter in the eap-tls section: # CA_file = ${raddbdir}/certs/trusted-ca-cert-list.pem *and* by setting CA_path parameter in the eap-tls section to an *empty* directory CA_path = ${raddbdir}/certs/trustedCAs should do the trick. No trusted CAs mean no trusted client certificates :-) Martin Gadbois wrote: When enabling EAP-PEAP with FreeRADIUS, module EAP-TLS is required. How can I disable EAP-TLS while using EAP-PEAP? I agree that if the client does not have a client key, EAP-TLS will not work. But how to restrict EAP-TLS in any case? -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling EAP-TLS while keeping EAP-PEAP
Hi, it's very similar to pages 20ff of http://www.dfn.de/content/fileadmin/1Dienstleistungen/Roaming/DFNRoaming-Workshop-20070426-Handout.pdf Eshun Benjamin wrote: sounds interesting can you post your tls section config -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling EAP-TLS while keeping EAP-PEAP
Hi! By commenting the CA_file parameter in the eap-tls section: # CA_file = ${raddbdir}/certs/trusted-ca-cert-list.pem *and* by setting CA_path parameter in the eap-tls section to an *empty* directory CA_path = ${raddbdir}/certs/trustedCAs should do the trick. No trusted CAs mean no trusted client certificates :-) Martin Gadbois wrote: When enabling EAP-PEAP with FreeRADIUS, module EAP-TLS is required. How can I disable EAP-TLS while using EAP-PEAP? I agree that if the client does not have a client key, EAP-TLS will not work. But how to restrict EAP-TLS in any case? -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling EAP-TLS while keeping EAP-PEAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Reimer Karlsen-Masur, DFN-CERT wrote: Hi! By commenting the CA_file parameter in the eap-tls section: # CA_file = ${raddbdir}/certs/trusted-ca-cert-list.pem *and* by setting CA_path parameter in the eap-tls section to an *empty* directory CA_path = ${raddbdir}/certs/trustedCAs should do the trick. No trusted CAs mean no trusted client certificates :-) Clever! Thanks! - -- == +-+ Martin Gadbois | Please answer by yes or no.| Sr. SW Designer| Uncooperative user waste precious CPU time | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGdnyD9Y3/iTTCEDkRApsHAJ4lbCBVKyd7abo3iwPax7p5o6mJmQCgtSnh XxxNtA3ZkZ1SSz+ulLYKiyo= =IZ66 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Disabling EAP-TLS while keeping EAP-PEAP
If someone can gain that level of access and decides JUST to issue a wild certificate - write him a Thank You letter. What if he cretes a batch of new users? Or resets ALL your users passwords to Leroy wuz 'ere? Your worries are misplaced. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling EAP-TLS while keeping EAP-PEAP
By not issuing client certificates. Ivan Kalik Kalik Informatika ISP Dana 1/6/2007, Martin Gadbois [EMAIL PROTECTED] piše: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 When enabling EAP-PEAP with FreeRADIUS, module EAP-TLS is required. How can I disable EAP-TLS while using EAP-PEAP? I agree that if the client does not have a client key, EAP-TLS will not work. But how to restrict EAP-TLS in any case? Thanks! - -- == +-+ Martin Gadbois | Please answer by yes or no.| Sr. SW Designer| Uncooperative user waste precious CPU time | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGYGSw9Y3/iTTCEDkRAiawAJ9hANUDvgjJTDDwAfiQkDR/NUKH1ACghRNW O1DdJnCymFB8hsiiIUMc9Ks= =1OR5 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling EAP-TLS while keeping EAP-PEAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: By not issuing client certificates. While I covered this solution in my initial posting, what if a certificate was issued, no CRL possible and I want to disable EAP-TLS but keep EAP-PEAP? - -- == +-+ Martin Gadbois | Please answer by yes or no.| Sr. SW Designer| Uncooperative user waste precious CPU time | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGYICA9Y3/iTTCEDkRAoUVAJ9AkEcaJz1982XRsby3LIU6XCDAhwCfSOqN 3w+xIMoyhuEnPElmiJi6bCU= =ZqwT -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html