mutual certificate authentication combined with 2nd factor inner authentication

Alan DeKok aland at deployingradius.com
Wed Dec 2 11:41:49 CET 2009


Essen, Hartwig von wrote:
> Due to a limitation also described in 2006 by Matt Brown 
> http://www.mattb.net.nz/blog/2006/09/22/requiring-client-certificates-fo
> r-eap-ttls-with-freeradius/

  I don't think that patch was necessary even at the time.  That
functionality was in the server over a year earlier.

> we are not able to use 
> - mutual certificate authentication between the server and the client in
> EAP-TTLS
> - in combination with a second factor using inner authentication eg.
> EAP-OTP/MSCHAP etc...
> According to a suggestion by Matt Brown (link above) a slight change
> would correct this. 

  Or, do:


authorize {
	...

	if (User-Name == "foo") {
		update control {
			EAP-TLS-Require-Client-Cert = Yes
		}
	}

	...
	eap
	...
}

  Alan DeKok.



More information about the Freeradius-Users mailing list