PEAP correct client certificate
Alan DeKok
aland at deployingradius.com
Mon Nov 20 22:31:39 CET 2017
On Nov 20, 2017, at 4:27 PM, Brian Julin <BJulin at clarku.edu> wrote:
> Oh... are you talking about setting the EAP-TLS-Require-Client-Cert control item?
Yes.
> If so, the problem with that is: how do you know when to do that?
Policy... usually looking up user name / device / whatever in a DB.
> It's undoubtably a useful
> feature for people who have a reliably consistent database of all identifiers that should
> present a cert, but in some environments that's just too chaotic to pull off... e.g. when users
> can nuke and reinstall an OS or multi-boot.
Well... if the user screws up their system, the safest thing to do is reject them.
If they should have a cert, then the server shouldn't make it optional.
If they shouldn't have a cert, why would they present one? Where would they get it from?
It's always better to understand what to do, and to do it right. Guessing is almost always bad.
> Anyway I didn't mean to derail the user list. I could take this to a github issue unless there's
> a better place for wishlist stuff. Thanks for the clarifications.
That's fine.
Alan DeKok.
More information about the Freeradius-Users
mailing list