On Fri, 2020-01-17 at 12:06 +0100, Martin Pauly wrote:
The Idea is to authenticate users with eap-tls with certficates. People without any certificate should use different vlan provided by Radius. Only supported authentication should be eap- tls. Is it possible to make authentication with eap-tls with certficates for valid users and some "guest vlan" for users which hasnt any or unknown certificates ?
It's not possible. If the device doesn't present a valid certificate, it won't authenticate. You can't force an "Accept" with EAP methods.
Really?
Yes, really, given the "only EAP-TLS" requirements above. Both "without a certificate should be in a different VLAN" and "guest VLAN for users without a certificate, or an unknown cert" are impossible. EAP-TLS *requires* a valid certificate to authenticate.
Couldn't you branch the processing based on the outer ID? Let all your well-managed users present some special outer id and treat the rest differently.
Don't trust the outer ID. Look at the certificate data after it's been validated, for example by using the check-eap-tls virtual server. -- Matthew