Freeradius, Cisco SSC, eDirectory, EAP/(T)TLS Problem
Sven 'Darkman' Michels
sven at darkman.de
Thu Mar 27 08:53:54 CET 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Alan DeKok wrote:
> Sven 'Darkman' Michels wrote:
>> But this works only on freeradius 2.x, doesn't it? Actually i have 1.1.0
>> from SLES10...
>
> Download the binary Suse packages: http://freeradius.org/download.html
>
> 1.1.0 is *very* old.
i noticed that, too :/ I upgraded last night to 2.0.2 and migrated the
config. Now it looks a bit better. My default server does the tls
tunneling and my inner-tunnel server is handling the ldap stuff. The
only problem i had was "where to force the client cert when using
eap/tls" - for now i just put it into the the authorize {} block:
authorize {
...
eap {
ok = return
}
update control {
EAP-TLS-Require-Client-Cert = yes
}
...
}
which seems to work except that the cisco client simply don't offer a
cert when using ttls. As far as i know, this requirement is not often
met at any client (you posted some note about a while ago...) so we're
calling cisco today to clearify how we can do maschine and user
authentification with forced clientcert (i can only do ttls for
maschine AND user/pw auth and not doing like tls for maschine and ttls
for user/pw - their client doesn't support that - the new client just
crashes when the server requires a cert, horray ;).
Thanks for your help so far - the main issue was the old freeradius as
it seems...
Regards,
Sven
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH61KRQoCguWUBzBwRAllMAJ9jP+KGH/6TboRMcUYAgi/SZN2aLgCfVw61
tQaYYdl4J63YABGefKO2q8s=
=xS2p
-----END PGP SIGNATURE-----
More information about the Freeradius-Users
mailing list