Freeradius and client certificate support
Alan DeKok
aland at deployingradius.com
Mon Aug 30 14:01:38 CEST 2010
Graham Leggett wrote:
> On 30 Aug 2010, at 9:00 AM, Alan DeKok wrote:
>
>> Then it's likely not doing EAP-TLS.
>
> Can you be more specific when you say "it's"?
None of the pieces are doing EAP.
> The routerboard in the middle is configured to do "passthrough" of eap
> to the radius server, and the radius server is configured to say the
> following:
>
> default_eap_type = tls
That *allows* the server to do EAP. It doesn't make the PC do EAP.
> The client (MacOSX) seems to have no idea that either the NAS or the
> radius server wants to use EAP-TLS, and pops up a window asking for both
> a certificate, and a username and password.
Exactly. So... configure the Mac system to do EAP. Configure the NAS
to require EAP on the port. Neither of these issues are related to
FreeRADIUS.
> Over and above the steps followed above, I am in the dark as to whether
> something else need to be done to make this work.
See above.
>> There is no documentation because you don't need to do anything. When
>> EAP-TLS is used, then any User-Name is accepted.
>
> It would be useful if that was documented :)
That's how EAP-TLS *works*. This isn't a FreeRADIUS issue.
> The "Username as MAC" behaviour seems to be mikrotik behaviour, without
> documentation I have no clear picture as to how this affects the login.
If the Mac system isn't doing EAP, then that would seem to affect the
login process.
> Am I correct in understanding that the client PC is not able to figure
> out for itself which type of EAP it should use, and that the end user
> has to manually set EAP-TLS for it work?
Yes. That's how EAP works.
> The reason I ask is that my client PC gives a number of checkboxes as to
> the types of EAP it will support, which implies that it's the radius
> server that specifies the type of EAP accepted, but if you're telling me
> that I must manually set this on the client PC, it would imply this is
> not possible.
If you want to use EAP-TLS, there are certain things you *must*
configure on the end system. It can't magically obtain a client
certificate. You need to provide one.
Alan DeKok.
More information about the Freeradius-Users
mailing list