Arran, I have a private CA and I've created the server and client certs of course...and I've generated the .p12 cert (includind the CA cert) to install in my Windows 7 clients....it works OK. What I mean is that EAP-TLS is easier to me than AD authentication at this point, because I've just put it to work...and if I want to use AD auth I have to take EAP-TLS out and start again with NTLM / AD authentication....is it OK ??? Regards 2013/9/18 Arran Cudbard-Bell <a.cudbardb@freeradius.org>:
On 18 Sep 2013, at 15:39, Roberto Carna <robertocarna36@gmail.com> wrote:
Sorry, so I'm a bit confused...
I'm using Windows 7 clients for accesing the WiFi network through EAP-TLS with X.509 certificates. But in this way, I could see that I can authenticate users or hosts...if I choose users, I can see a dialog box to fill user and password and I suppose they are checked against MySQL database (because I see the query in debug mode). Is this correct or not ???
MySQL can be used to retrieve additional attributes associated with a given user/host. It can even perform lookups based on fields in the cert presented, but it can't be used to store X.509 certificate data.
And finally, if I use EAP-TLS with X.509 certificates, do you mean I don't need to use the authentication against the active directory database ??? Maybe this is easier to me because I've put EAP-TLS to work.
No, the easier way is to complete the certificate chain using the signing cert which created the client certs in the first place. This needs to be made available to the EAP-TLS module.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html