Sven 'Darkman' Michels wrote:
...The only problem i had was "where to force the client cert when using eap/tls"
EAP-TLS *always* uses a client cert.
which seems to work except that the cisco client simply don't offer a cert when using ttls. As far as i know, this requirement is not often met at any client (you posted some note about a while ago...)
Yes.
so we're calling cisco today to clearify how we can do maschine and user authentification with forced clientcert (i can only do ttls for maschine AND user/pw auth and not doing like tls for maschine and ttls for user/pw - their client doesn't support that - the new client just crashes when the server requires a cert, horray ;).
Nice!
Thanks for your help so far - the main issue was the old freeradius as it seems...
Yes. Upgrading is usually a good idea. Alan DeKok.