Which runs the external verification command... if there's a client certificate.
no change in peap peap { tls = tls-common .... }
Now if I start freeradius -X and connect I still get an Access-Accept even though my client doesnt have the correct client certificate (because I never created it). That's exactly how it's supposed to work.
You didn't tell the server to require a client certificate. So it didn't.
good
And if I scroll up in the debug mode I get a eap_peap: [eaptls verify] = ok
Why does my server not verify the client correctly (or at all) The server doesn't magically know that PEAP is supposed to have a client certificate. You have to tell it.
Put this into the "authorize" section of raddb/sites-enabled/default:
update control { EAP-TLS-Require-Client-Cert = Yes }
It's what I told you to do in a message a few days ago.
Following instructions helps you solve problems.
Alan DeKok. I did add it to sites-enabled/default but I accidently put it under authenticate *dumb me*
Now the client gets rejected, thats good. I installed a client certificate on the client but he still gets rejected :mhmhmh: Its either 1) I accidently did something else stupid somewhere in the config files 2) the radius server cant access the CA file, even though he correctly starts or 3) The client didnt handle the certificate correty, read as: I did something wrong. I'm leaning heavily towards 3), seems to me its a client problem. Anyways, will investigate some more until the problem is found :) Thank you guys so much for your help, really appreciate it. Tweet.