Alan DeKoK wrote:
On Nov 20, 2017, at 3:58 PM, Brian Julin <BJulin@clarku.edu> wrote:
What I'm talking about here is the same server serving both PEAP clients with certificates and PEAP clients without certificates, and still being able to access the TLS-Client-* variables in post-auth if/when the client did provide a cert.
Yes, that works. I've tested it.
If you require a client cert for user A, you *don't* need to require a client cert for user B.
Oh... are you talking about setting the EAP-TLS-Require-Client-Cert control item? If so, the problem with that is: how do you know when to do that? It's undoubtably a useful feature for people who have a reliably consistent database of all identifiers that should present a cert, but in some environments that's just too chaotic to pull off... e.g. when users can nuke and reinstall an OS or multi-boot. Anyway I didn't mean to derail the user list. I could take this to a github issue unless there's a better place for wishlist stuff. Thanks for the clarifications. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html