On 30 Aug 2010, at 9:00 AM, Alan DeKok wrote:
As a understand, what I am looking for is EAP-TLS, and I have attempted to configure it against a mikrotik routerboard. I see the radius packet entering the server, with the User-Name set to the MAC address of the incoming client (mikrotik default behaviour).
Then it's likely not doing EAP-TLS.
Can you be more specific when you say "it's"? The routerboard in the middle is configured to do "passthrough" of eap to the radius server, and the radius server is configured to say the following: default_eap_type = tls The client (MacOSX) seems to have no idea that either the NAS or the radius server wants to use EAP-TLS, and pops up a window asking for both a certificate, and a username and password. Over and above the steps followed above, I am in the dark as to whether something else need to be done to make this work.
My next step is to suitably configure freeradius to accept the login based on the attributes within the client certificate, and to accept any User-Name, however I can find no documentation how to do this.
There is no documentation because you don't need to do anything. When EAP-TLS is used, then any User-Name is accepted.
It would be useful if that was documented :)
Ideally, I would like the effective freeradius login name to be the DN of the client certificate.
Then use EAP-TLS. If the User-Name is the MAC, then you're not using EAP-TLS.
The "Username as MAC" behaviour seems to be mikrotik behaviour, without documentation I have no clear picture as to how this affects the login.
Does anyone know whether this is possible, and if so, what I need to tell freeradius to make this happen?
Tell the *NAS* to ask for EAP. Tell the *client PC* to use EAP-TLS.
Ok, now I am confused. Am I correct in understanding that the client PC is not able to figure out for itself which type of EAP it should use, and that the end user has to manually set EAP-TLS for it work? The reason I ask is that my client PC gives a number of checkboxes as to the types of EAP it will support, which implies that it's the radius server that specifies the type of EAP accepted, but if you're telling me that I must manually set this on the client PC, it would imply this is not possible. Can you clarify for me if possible? Regards, Graham --