On Sep 23, 2016, at 3:20 PM, Peter Lesko <plesko@blispay.com> wrote:
I'm having a similar issue to the one described here: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-td...
Currently, I can auth with just a signed cert, or just username/password
I would like to enforce both, but I have been unable to determine the correct keywords/config after reading many forum posts, in addition to the comments provided in the default configuration
OK...
I have attempted to add this config line to enforce signed certs in sites-available/default: EAP-TLS-Require-Client-Cert = yes
This causes freeradius not to start for me though,
The server produces an error message when run in debug mode. Are you reading it? Or, maybe you're not even using debug mode. Why not?
and I'm pretty certain I have tried putting that in each block present in the file
Don't "try hard". Follow the documentation and examples. You CANNOT just put that text into the default virtual server, and expect it to work. The format of that file is documented. Please read "man unlang".
As for requiring user/password auth, I have tried:
DEFAULT EAP-Type == EAP-Type-TLS, Auth-Type := Reject Which causes freeradius to fail to load
It may be useful to read the error message it produces.
DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject Which still allows EAP-TLS only
DEFAULT EAP-Type != PEAP, Auth-Type := Reject Which still allows EAP-TLS only as well
Please advise
Read the documentation and examples to see how the server works. Don't invent your own syntax. In the "authorize" section, add: update control { EAP-TLS-Require-Client-Cert = yes } Alan DeKok.