General EAP configuration

The default EAP settings will work in most situations (EAP-MD5, EAP-TLS, EAP-TTLS, EAP-PEAP) so there is no need to change them without any need. If EAP-TTLS or EAP-PEAP is used with VLAN assignment then set Use Tunneled Reply to yes:

To make the use of certificates more secure, check the Common Name of the client certificate against the username entered in FreeRADIUS > Users. For this set Check Client Certificate CN to yes:

Another option to increase security with certificates is to check the issuer of the client certificate against the CA certificate. This can be enabled with Check Cert Issuer but then it is necessary to enter country, state, province and organization – case sensitive – to match the CA.

FreeRADIUS by default allows many EAP types for authentication. In some environments only some strong EAP types (TLS, TTLS, PEAP, MSCHAPv2) may be allowed or weak types (MD5, GTC, LEAP) may be disallowed. Disable the weak EAP types in FreeRADIUS using Disable weak EAP types so that FreeRADIUS rejects users which try to authenticate using such a weak method. If these types are disabled it does not affect the inner tunnel session in EAP-TTLS and EAP-PEAP. Further it is no problem to use a weak or cleatext method in the inner tunnel because if the outer tunnel uses one of the above call strong encryption types.

FreeRADIUS is multitalented. It can handle almost all authentication types hosts send. So if weak encryption types such as MD5 and others are not disabled then the following will happen:

So disable weak encryption is checked then this disables MD5, GTC and LEAP. This will happen: