Graham Leggett wrote:
On 30 Aug 2010, at 9:00 AM, Alan DeKok wrote:
Then it's likely not doing EAP-TLS.
Can you be more specific when you say "it's"?
None of the pieces are doing EAP.
The routerboard in the middle is configured to do "passthrough" of eap to the radius server, and the radius server is configured to say the following:
default_eap_type = tls
That *allows* the server to do EAP. It doesn't make the PC do EAP.
The client (MacOSX) seems to have no idea that either the NAS or the radius server wants to use EAP-TLS, and pops up a window asking for both a certificate, and a username and password.
Exactly. So... configure the Mac system to do EAP. Configure the NAS to require EAP on the port. Neither of these issues are related to FreeRADIUS.
Over and above the steps followed above, I am in the dark as to whether something else need to be done to make this work.
See above.
There is no documentation because you don't need to do anything. When EAP-TLS is used, then any User-Name is accepted.
It would be useful if that was documented :)
That's how EAP-TLS *works*. This isn't a FreeRADIUS issue.
The "Username as MAC" behaviour seems to be mikrotik behaviour, without documentation I have no clear picture as to how this affects the login.
If the Mac system isn't doing EAP, then that would seem to affect the login process.
Am I correct in understanding that the client PC is not able to figure out for itself which type of EAP it should use, and that the end user has to manually set EAP-TLS for it work?
Yes. That's how EAP works.
The reason I ask is that my client PC gives a number of checkboxes as to the types of EAP it will support, which implies that it's the radius server that specifies the type of EAP accepted, but if you're telling me that I must manually set this on the client PC, it would imply this is not possible.
If you want to use EAP-TLS, there are certain things you *must* configure on the end system. It can't magically obtain a client certificate. You need to provide one. Alan DeKok.