subject:"RE\: Disabling EAP\-TLS while keeping EAP\-PEAP"

Re : Disabling EAP-TLS while keeping EAP-PEAP

2007-06-19 Thread Eshun Benjamin

sounds interesting can you post your tls section config
 
== 



- Message d'origine 
De : Reimer Karlsen-Masur, DFN-CERT [EMAIL PROTECTED]
À : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Lundi, 18 Juin 2007, 11h09mn 31s
Objet : Re: Disabling EAP-TLS while keeping EAP-PEAP

Hi!

By commenting the CA_file parameter in the eap-tls section:

# CA_file = ${raddbdir}/certs/trusted-ca-cert-list.pem

*and*

by setting CA_path parameter in the eap-tls section to an *empty* directory

CA_path = ${raddbdir}/certs/trustedCAs

should do the trick.

No trusted CAs mean no trusted client certificates :-)

Martin Gadbois wrote:
 When enabling EAP-PEAP with FreeRADIUS, module EAP-TLS is required.
 
 How can I disable EAP-TLS while using EAP-PEAP?
 
 I agree that if the client does not have a client key, EAP-TLS will not
 work. But how to restrict EAP-TLS in any case?

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html










  


___ 
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! 
Profitez des connaissances, des opinions et des expériences des internautes sur 
Yahoo! Questions/Réponses 
http://fr.answers.yahoo.com- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Disabling EAP-TLS while keeping EAP-PEAP

2007-06-19 Thread Reimer Karlsen-Masur, DFN-CERT


Hi,

it's very similar to pages 20ff of

http://www.dfn.de/content/fileadmin/1Dienstleistungen/Roaming/DFNRoaming-Workshop-20070426-Handout.pdf

Eshun Benjamin wrote:


sounds interesting can you post your tls section config


--
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737


smime.p7s
Description: S/MIME Cryptographic Signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Disabling EAP-TLS while keeping EAP-PEAP

2007-06-18 Thread Reimer Karlsen-Masur, DFN-CERT

Hi!

By commenting the CA_file parameter in the eap-tls section:

# CA_file = ${raddbdir}/certs/trusted-ca-cert-list.pem

*and*

by setting CA_path parameter in the eap-tls section to an *empty* directory

CA_path = ${raddbdir}/certs/trustedCAs

should do the trick.

No trusted CAs mean no trusted client certificates :-)

Martin Gadbois wrote:
 When enabling EAP-PEAP with FreeRADIUS, module EAP-TLS is required.
 
 How can I disable EAP-TLS while using EAP-PEAP?
 
 I agree that if the client does not have a client key, EAP-TLS will not
 work. But how to restrict EAP-TLS in any case?

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737


smime.p7s
Description: S/MIME Cryptographic Signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Disabling EAP-TLS while keeping EAP-PEAP

2007-06-18 Thread Martin Gadbois

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Reimer Karlsen-Masur, DFN-CERT wrote:
 Hi!
 
 By commenting the CA_file parameter in the eap-tls section:
 
 # CA_file = ${raddbdir}/certs/trusted-ca-cert-list.pem
 
 *and*
 
 by setting CA_path parameter in the eap-tls section to an *empty* directory
 
 CA_path = ${raddbdir}/certs/trustedCAs
 
 should do the trick.
 
 No trusted CAs mean no trusted client certificates :-)
 


Clever! Thanks!



- --
== +-+
Martin Gadbois | Please answer by yes or no.|
Sr. SW Designer| Uncooperative user waste precious CPU time |
Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969  |
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGdnyD9Y3/iTTCEDkRApsHAJ4lbCBVKyd7abo3iwPax7p5o6mJmQCgtSnh
XxxNtA3ZkZ1SSz+ulLYKiyo=
=IZ66
-END PGP SIGNATURE-
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Disabling EAP-TLS while keeping EAP-PEAP

2007-06-02 Thread tnt

If someone can gain that level of access and decides JUST to issue a wild
certificate - write him a Thank You letter. What if he cretes a
batch of new users? Or resets ALL your users passwords to Leroy wuz
'ere? Your worries are misplaced.

Ivan Kalik
Kalik Informatika ISP

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Disabling EAP-TLS while keeping EAP-PEAP

2007-06-01 Thread tnt

By not issuing client certificates.

Ivan Kalik
Kalik Informatika ISP


Dana 1/6/2007, Martin Gadbois [EMAIL PROTECTED] piše:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

When enabling EAP-PEAP with FreeRADIUS, module EAP-TLS is required.

How can I disable EAP-TLS while using EAP-PEAP?

I agree that if the client does not have a client key, EAP-TLS will not
work. But how to restrict EAP-TLS in any case?

Thanks!

- --
== +-+
Martin Gadbois | Please answer by yes or no.|
Sr. SW Designer| Uncooperative user waste precious CPU time |
Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969  |
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGYGSw9Y3/iTTCEDkRAiawAJ9hANUDvgjJTDDwAfiQkDR/NUKH1ACghRNW
O1DdJnCymFB8hsiiIUMc9Ks=
=1OR5
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Disabling EAP-TLS while keeping EAP-PEAP

2007-06-01 Thread Martin Gadbois

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] wrote:
 By not issuing client certificates.
 

While I covered this solution in my initial posting, what if a
certificate was issued, no CRL possible and I want to disable EAP-TLS
but keep EAP-PEAP?

- --
== +-+
Martin Gadbois | Please answer by yes or no.|
Sr. SW Designer| Uncooperative user waste precious CPU time |
Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969  |
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGYICA9Y3/iTTCEDkRAoUVAJ9AkEcaJz1982XRsby3LIU6XCDAhwCfSOqN
3w+xIMoyhuEnPElmiJi6bCU=
=ZqwT
-END PGP SIGNATURE-
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re : Disabling EAP-TLS while keeping EAP-PEAP

Re: Disabling EAP-TLS while keeping EAP-PEAP

Re: Disabling EAP-TLS while keeping EAP-PEAP

Re: Disabling EAP-TLS while keeping EAP-PEAP

RE: Disabling EAP-TLS while keeping EAP-PEAP

Re: Disabling EAP-TLS while keeping EAP-PEAP

Re: Disabling EAP-TLS while keeping EAP-PEAP

7 matches

Site Navigation

Mail list logo

Footer information