Can you use TLS and Request users authentication as well
Alan DeKok
aland at nitros9.org
Tue Apr 18 19:07:10 CEST 2006
Walter Reynolds <waltr at umich.edu> wrote:
> What I am trying to figure out is a way to not only have a certificate,
> but a secondary way to verify that that certificate is being used by a
> person we allow.
Passwords.
> Is this something that can be done? Has anyone run into a similar problem
> and what did they do? I know we could go TTLS and not have a machine
> cert, but then we get fears of man-in-the-middle.
I would suggest a self-signed server cert, and a client certificate.
You can use EAP-TLS-Require-Client-Cert to force a particular session
to require a client cert. This works for TTLS, too.
The server will then verify that the client cert is signed by the
cert it has, which should prevent man in the middle attacks.
Alan DeKok.
More information about the Freeradius-Users
mailing list