Am 17.01.20 um 12:27 schrieb Matthew Newton:
Yes, really, given the "only EAP-TLS" requirements above.
OK I got it. Behind one SSID, you can very well branch into different EAP configs (actually I think , the first time I saw this was 10+ years ago in a post by Matthew :-) ). But doing EAP-TLS does mean to exchange keys, no matter if someone validates the client cert. IMO, the OP confuses the cases "no client cert at all" vs. "client cert must present, but the is not validated". You commented on the latter case, I on the former. Thanks for clearing this up Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg