Freeradius and client certificate support

[Graham Leggett]

On 30 Aug 2010, at 2:41 PM, Alan DeKok wrote:

>> Ideally I would like to lookup the DN of the certificate in a  
>> database
>> of some kind and accept or deny the connection, but at this point I'm
>> focusing just on the most basic capability at this point - EAP-TLS.
>>
>> What do I need to do to the freeradius server to make this possible?
>
>  You've done it all.

The closest I've got is to use a MacOSX Snow Leopard machine, and  
manually specify EAP-TLS, and manually choose the certificate, but at  
that point I get this:

Mon Aug 30 08:12:56 2010 : Error:     TLS_accept:error in SSLv3 read  
client hello C
Mon Aug 30 08:12:56 2010 : Error: rlm_eap: SSL error error: 
140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context  
uninitialized
Mon Aug 30 08:12:56 2010 : Error: rlm_eap_tls: SSL_read failed in a  
system call (-1), TLS session fails.
Mon Aug 30 08:12:56 2010 : Error: rlm_eap: SSL error error: 
00000000:lib(0):func(0):reason(0)
Mon Aug 30 08:12:56 2010 : Error: rlm_eap_tls: BIO_read failed in a  
system call (-1), TLS session fails.
Mon Aug 30 08:12:56 2010 : Auth: Login incorrect: [snip-cn-of- 
certificate] (from client hotspot port 0 cli 34-15-9E-90-F7-5B)

Do you know what a "session id context" is, and why one might be  
uninitialised?

>  For detailed instructions on EAP-TLS, see:
>
> http://freeradius.org/doc/

The only reference to EAP-TLS on the above page is under a section  
called "Older Documents". The first link is to a PDF file called  
EAPTLS.pdf, and these instructions tell you to go to "http://www.missl.cs.umd.edu/wireless/eaptls/ 
" for instructions on how to configure EAP-TLS in freeradius, and this  
URL no longer exists.

The second link is entitled "Another eap-tls HOWTO", which again links  
to http://www.missl.cs.umd.edu/wireless/eaptls/, is broken as above.

Is there any other mention of EAP-TLS in the documentation anywhere?  
Google wasn't able to find anything.

Regards,
Graham
--