EAP-TLS without client authentication
chris at riosec.com
Thu Jan 8 06:13:40 CET 2009
This may sound like a strange request, but I'd like to know if it is
possible to use FreeRADIUS to perform EAP-TLS without asking for a
client certificate. The purpose is to allow for a secure connection
to an access point without client authentication. I think this might
be useful to replace "open wireless" for public wireless access with
something more secure.
According to the EAP-TLS RFC (rfc2716), it sounds like it might be possible:
"The certificate_request message is included when the server desires
the client to authenticate itself via public key. While the EAP server
SHOULD require client authentication, this is not a requirement, since
it may be possible that the server will require that the peer
authenticate via some other means."
I tried this with FreeRADIUS and eapol_test (from wpa_supplicant) with
the following result:
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
The only change I've made from the default eap.conf is to try
disabling the CA_file setting (I've tried it both ways).
Does it sound like this is something that should be possible, or am I off base?
More information about the Freeradius-Users