PEAP correct client certificate

Oliver Tollning oliver at tollning.com
Thu Nov 23 23:19:02 CET 2017


>
>    Which runs the external verification command... if there's a client certificate.
>
>> no change in peap
>> peap {
>> tls = tls-common
>> ....
>> }
>>
>>
>> Now if I start freeradius -X and connect I still get an Access-Accept even though my client doesnt have the correct client certificate (because I never created it).
>    That's exactly how it's supposed to work.
>
>    You didn't tell the server to require a client certificate.  So it didn't.
  good
>> And if I scroll up in the debug mode I get a
>> eap_peap: [eaptls verify] = ok
>>
>> Why does my server not verify the client correctly (or at all)
>    The server doesn't magically know that PEAP is supposed to have a client certificate.  You have to tell it.
>
>    Put this into the "authorize" section of raddb/sites-enabled/default:
>
> 	update control {
> 		EAP-TLS-Require-Client-Cert = Yes
> 	}
>
>    It's what I told you to do in a message a few days ago.
>
>    Following instructions helps you solve problems.
>
>    Alan DeKok.
I did add it to sites-enabled/default but I accidently put it under 
authenticate *dumb me*

Now the client gets rejected, thats good.

I installed a client certificate on the client but he still gets 
rejected :mhmhmh:

Its either
1) I accidently did something else stupid somewhere in the config files
2) the radius server cant access the CA file, even though he correctly 
starts
or
3) The client didnt handle the certificate correty, read as: I did 
something wrong.


I'm leaning heavily towards 3), seems to me its a client problem.

Anyways, will investigate some more until the problem is found :)

Thank you guys so much for your help, really appreciate it.

Tweet.



More information about the Freeradius-Users mailing list