Daniel Bertolo wrote:
I currently run FreeRADIUS 2.1.6 ... authenticate { Auth-Type eap { eap if (!"%{TLS-Client-Cert-Subject}" =~ /\/O=MyCompany\// ) {
That won't work in 2.1.6. You need at least 2.1.10.
- This would belong in the "outer" request as there is no inner request with EAP-TLS, right?
Yes.
- What happens to requests that don't provide a client certificate (the users who still use EAP-TTLS or PEAP)?
The TLS-Client-Cert-Subject is empty. You will need to check for EAP-TLS: if ((EAP-Type == EAP-TLS) && \ (%{TLS-Client-Cert-Subject}" !~ /\/O=MyCompany\//)) { ...
In conclusion, is there a way to distinguish between EAP-TLS requests and EAP-TTLS or PEAP requests? And if so, can I use a different server section for EAP-TLS?
Yes, and no. Alan DeKok.