forcing client certificate authentication during EAP-PEAP and EAP-TTLS

Michael Wang mwang25 at
Thu Aug 4 19:47:56 CEST 2005


I was wondering if there is a way to configure the radiusd to force
the client to present his certificate during EAP-PEAP and EAP-TTLS.
(I know this is not necessary, but I need to do it anyways....)

I saw an interesting piece of code in eaptls_initiate() which
indicates someone was thinking about it:

        *      If we're TTLS or PEAP, then do NOT require a client
        *      certificate.
        *      FIXME: This should be more configurable.
       if (handler->eap_type != PW_EAP_TLS) {
               vp = pairfind(handler->request->config_items,
               if (!vp) {
                       client_cert = FALSE;
               } else {
                       client_cert = vp->lvalue;

So it seems like radiusd will force client certificate authentication
during PEAP or TTLS if this particular value pair is set with
lvalue==1.  But I don't see any code where the
PW_EAP_TLS_REQUIRE_CLIENT_CERT gets put into the config_items.

Can someone "in the know" comment?

I am looking at the source code from freeradius-1.0.4


More information about the Freeradius-Users mailing list