Re: Freeradius, Cisco SSC, eDirectory, EAP/(T)TLS Problem

Alan DeKok <aland@deployingradius.com> · Thu, 27 Mar 2008 09:22:54 +0100

Sven 'Darkman' Michels wrote:
> ...The
> only problem i had was "where to force the client cert when using
> eap/tls"

  EAP-TLS *always* uses a client cert.

> which seems to work except that the cisco client simply don't offer a
> cert when using ttls. As far as i know, this requirement is not often
> met at any client (you posted some note about a while ago...)

  Yes.

> so we're
> calling cisco today to clearify how we can do maschine and user
> authentification with forced clientcert  (i can only do ttls for
> maschine AND user/pw auth and not doing like tls for maschine and ttls
> for user/pw - their client doesn't support that - the new client just
> crashes when the server requires a cert, horray ;).

  Nice!

> Thanks for your help so far - the main issue was the old freeradius as
> it seems...

  Yes.  Upgrading is usually a good idea.

  Alan DeKok.