Freeradius and client certificate support

Alan DeKok aland at deployingradius.com
Mon Aug 30 14:41:47 CEST 2010


Graham Leggett wrote:
> I have a client certificate on the client PC already. This client
> certificate is trusted by a CA certificate, which is set under the
> "CA_file" option in the tls section of the eap configuration in freeradius.

  OK.

> I have a routerboard offering a wifi interface, and this routerboard
> offers me just one single radius option called "passthrough". I
> understand that this means that an attempt will be made for the client
> PC to pass the EAP through to the radius server.

  If you say so.

> What I want to happen is that the client PC makes an attempt to connect
> to the wireless network, and based on the fact that a valid client
> certificate is present, connection is established automatically using
> EAP-TLS.

  Which requires the client to be configured to do that.

> Ideally I would like to lookup the DN of the certificate in a database
> of some kind and accept or deny the connection, but at this point I'm
> focusing just on the most basic capability at this point - EAP-TLS.
>
> What do I need to do to the freeradius server to make this possible?

  You've done it all.

> Do I need to switch off everything except for the tls section to stop
> freeradius trying to offer other EAP methods and confusing the client?

  No.

  For detailed instructions on EAP-TLS, see:

http://freeradius.org/doc/

  Alan DeKok.



More information about the Freeradius-Users mailing list