eap-tls with valid and fake certificates.

Alan DeKok aland at deployingradius.com
Fri Jan 17 13:47:21 CET 2020


On Jan 17, 2020, at 7:44 AM, Martin Pauly <pauly at hrz.uni-marburg.de> wrote:
> 
> OK I got it. Behind one SSID, you can very well branch into different
> EAP configs (actually I think , the first time I saw this was
> 10+ years ago in a post by Matthew :-) ).

  Yes.

> But doing EAP-TLS does mean to exchange keys, no matter if
> someone validates the client cert.

  Doing EAP-TLS, TTLS, PEAP, even EAP-MSCHAPv2.

> IMO, the OP confuses the cases
> "no client cert at all" vs.
> "client cert must present, but the is not validated".
> You commented on the latter case, I on the former.

  It's all the same.  If the NAS expects to see MS-MPPE keys, then the RADIUS server *must* send them.  And, send the correct ones.  Otherwise it won't work.

  Alan DEKok.




More information about the Freeradius-Users mailing list