On Jul 7, 2015, at 4:23 PM, Kris Armstrong <kris.armstrong@me.com> wrote:
Ok I see that. I assume the username is coming from this portion of the client.cnf?
In a way. That file is used to create the certificate. The common name of the certificate then becomes the EAP-Identity and the User-Name.
I would have expected FR3 to ignore UserID/PWD when using EAP/TLS Certificates???
It doesn't need passwords. It *does* need User-Name, for things like proxying.
if it doesn’t do I have to create a username for each client cert?
No. But you *do* need to tell FreeRADIUS that the realm (i.e. domain name) is local, and that it shouldn't be stripped from the User-Name. See raddb/proxy.conf. This is documented.
Or is there a conf file that I need to modify to work with EAP/TLS?
No. Alan DeKok.