Freeradius and client certificate support
minfrin at sharp.fm
Mon Aug 30 13:17:24 CEST 2010
On 30 Aug 2010, at 9:00 AM, Alan DeKok wrote:
>> As a understand, what I am looking for is EAP-TLS, and I have
>> to configure it against a mikrotik routerboard. I see the radius
>> entering the server, with the User-Name set to the MAC address of the
>> incoming client (mikrotik default behaviour).
> Then it's likely not doing EAP-TLS.
Can you be more specific when you say "it's"?
The routerboard in the middle is configured to do "passthrough" of eap
to the radius server, and the radius server is configured to say the
default_eap_type = tls
The client (MacOSX) seems to have no idea that either the NAS or the
radius server wants to use EAP-TLS, and pops up a window asking for
both a certificate, and a username and password.
Over and above the steps followed above, I am in the dark as to
whether something else need to be done to make this work.
>> My next step is to suitably configure freeradius to accept the login
>> based on the attributes within the client certificate, and to
>> accept any
>> User-Name, however I can find no documentation how to do this.
> There is no documentation because you don't need to do anything.
> EAP-TLS is used, then any User-Name is accepted.
It would be useful if that was documented :)
>> Ideally, I would like the effective freeradius login name to be the
>> of the client certificate.
> Then use EAP-TLS. If the User-Name is the MAC, then you're not using
The "Username as MAC" behaviour seems to be mikrotik behaviour,
without documentation I have no clear picture as to how this affects
>> Does anyone know whether this is possible, and if so, what I need to
>> tell freeradius to make this happen?
> Tell the *NAS* to ask for EAP. Tell the *client PC* to use EAP-TLS.
Ok, now I am confused.
Am I correct in understanding that the client PC is not able to figure
out for itself which type of EAP it should use, and that the end user
has to manually set EAP-TLS for it work?
The reason I ask is that my client PC gives a number of checkboxes as
to the types of EAP it will support, which implies that it's the
radius server that specifies the type of EAP accepted, but if you're
telling me that I must manually set this on the client PC, it would
imply this is not possible.
Can you clarify for me if possible?
More information about the Freeradius-Users