Time for action – disabling unused EAP methods
Our organization decided to support the two tunneled EAP methods (PEAP and EAP-TTLS). We will disable the other methods and set the default EAP method to be PEAP:
- Edit the
eap.conf
file located under the FreeRADIUS configuration directory. Disable the following methods by commenting them out completely:md5
,leap
,gtc
, andmschapv2
. - Change the
default_eap_type
directive from:default_eap_type = md5
to:
default_eap_type = peap
- Restart FreeRADIUS in debug mode and check that the disabled EAP methods are not available any more. Here is the debug output from FreeRADIUS when we tried EAP-MD5. It confirms that EAP Type 4 (MD5) is not supported anymore:
+- entering group authenticate {...} [eap] Request found, ...
Get FreeRADIUS Beginner's Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.