TLS authentication works, but does not check usernames against 'users' file.

Andrew Bovill abovill at gmail.com
Tue Nov 30 17:55:45 CET 2010



On 11/30/2010 11:15 AM, Phil Mayers wrote:
> On 30/11/10 16:10, Andrew Bovill wrote:
>>
>> It just seems weird that nearly ALL of the suplicants I've used
>> *require* me to give a username/password (or at least an Identifier +
>> password) in addition to the unlocked certificate. Maybe a better
>> question is: What's the point of the username/pass that's also being
>> sent by the supplicant?
>
> Well, the username goes into the EAP-Identity field. For example you 
> might put:
>
> user at home.org.com
>
> ...and be in a radius roaming federation like eduroam, but your 
> certificate may contain:
>
> cn=user,o=Home Org,...
>
> ...so you need to be able to specific a username.
>
> Password is not used in EAP-TLS; the supplicants I've seen don't ask 
> for it (Windows, MacOS, Linux/NetworkManager, Nokia E-series)
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

Ok, this makes more sense now.  I think what was throwing me off was 
that the Android supplicant asks for the following when doing 802.1x EAP:
EAP Method (I chose TLS)
Phase 2 authentication (I left as none, but has things like CHAP, PAP, etc)
CA cert
user cert
Identity
Anonymous Identity
Password

It seemed to me that it wouldn't connect if I left the Identity blank, 
so that may be what was confusing me.
I doesn't seem to me like there would be, but is there any way to have, 
say, a 'guest' certificate, that can be handed out to multiple people 
and be used simultaneously with EAP/TLS?
--Andrew



More information about the Freeradius-Users mailing list