Wolfgang Burger wrote:
I am trying to configure FreeRadius to require a Certificate AND a username/password to accept a User. My clients are Macs (10.4.11).
I want TTLS to require a certificate so I've set: EAP-TLS-Require-Client-Cert := Yes in the control items of the request.
That should work, *if* the Mac client supports TTLS with a client certificate.
Now I set the client to do TLS (for the cert) and TTLS (for the password).
Can this even be done on a Mac?
What I get is the log below.
The Client does'nt send the certificate.
Well, that would mean that the client doesn't support sending a certificate for TTLS. I'm not surprised, this is a fairly rare requirement.
And how do I tell the server, that a valid certificate is not enough to get in? In the first log-file, you see that the client can disable ttls and still is accepted.
If you want to disable EAP-TLS, then do that: ... DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject ...
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0007], Certificate rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal handshake_failure TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
That's up to the client. If it doesn't give the server a certificate, there's not much more that it can do. Alan DeKok.