Time for action – disabling unused EAP methods
Our organization decided to support the two tunneled EAP methods (PEAP and EAP-TTLS). We will disable the other methods and set the default EAP method to be PEAP:
- Edit the
eap.conffile located under the FreeRADIUS configuration directory. Disable the following methods by commenting them out completely:md5,leap,gtc, andmschapv2. - Change the
default_eap_typedirective from:default_eap_type = md5
to:
default_eap_type = peap
- Restart FreeRADIUS in debug mode and check that the disabled EAP methods are not available any more. Here is the debug output from FreeRADIUS when we tried EAP-MD5. It confirms that EAP Type 4 (MD5) is not supported anymore:
+- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] NAK asked for unsupported type 4 [eap] No common EAP types found. [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user.
What just happened?
We have changed the default...
