On Oct 3, 2023, at 10:34 AM, Stefan Kania <stefan@kania-online.de> wrote:
That's what I did. I put the ca-certificat and the key into the subdirectory certs/ that is working :-). But now I wold like to use client certificates instead of username+password. So both, the server certificate and the client-certificate are from the same CA. So the client sends it's certificate to the radius-server and the server checks wther the certifcate belongs to the client or not and checks that the certificate is valide with the root-certificate of my ca. Is this right?
Yes. That's common across all uses of TLS and client certificates. There's nothing special about how RADIUS uses client certs.
But what I'm looking for ist how to configure freeradius to only use certificates and not username+password. Or did I understood this txpe of authentication totally wrong :-(
Don't configure FreeRADIUS to do password lookups. Configure the client to use EAP-TLS, and there won't *be* passwords in the RADIUS packets. Alan DeKok.