17 Jan
2020
17 Jan
'20
7:47 a.m.
On Jan 17, 2020, at 7:44 AM, Martin Pauly <pauly@hrz.uni-marburg.de> wrote:
OK I got it. Behind one SSID, you can very well branch into different EAP configs (actually I think , the first time I saw this was 10+ years ago in a post by Matthew :-) ).
Yes.
But doing EAP-TLS does mean to exchange keys, no matter if someone validates the client cert.
Doing EAP-TLS, TTLS, PEAP, even EAP-MSCHAPv2.
IMO, the OP confuses the cases "no client cert at all" vs. "client cert must present, but the is not validated". You commented on the latter case, I on the former.
It's all the same. If the NAS expects to see MS-MPPE keys, then the RADIUS server *must* send them. And, send the correct ones. Otherwise it won't work. Alan DEKok.