On Jan 16, 2020, at 9:05 AM, uj2.hahn@posteo.de wrote:
Hi! I think I got it to work!!
That's good. For the benefit of others reading this, what was wrong?
To refresh the memory: Radius based WLAN access control in a school for students and teachers. But there are some school-owned Win 10 tablets which should be able to login automatically via Radius client certificates. It seems it is working now! Thanks for your great support!
Good to hear.
Can you guys do me the favor to confirm that everything is going right with the certs (see debug file below)?
If there's an Access-Accept and the system gets on WiFi, it's OK. Nothing else matters.
Once you confirm, then I have a new question: We use a Captive Portal connected to the freeradius server. This is fine to let user accept terms and conditions etc. But for the special user behind the client certificate ("RadiusClient") we don't want to see this Captive Portal web site. Is there anything freeradius can do or is it purely a CP configuration thing?
You need to bypass the captive portal completely. It has nothing to do with FreeRADIUS. Typically you have a "closed" SSID which requires EAP / certificates. Then, you have an "open" SSID which is controlled by the captive portal. You can't mix & match EAP and captive portals. The protocols are designed to make this impossible. Alan DeKok.