This is how far I get: --cut-- (3) Received Access-Request Id 227 from 176.23.5.126:34447 to 142.93.141.56:1812 length 240 (3) User-Name = "henrik.schack" (3) NAS-Identifier = "868a208e5107" (3) Called-Station-Id = "86-8A-20-8E-51-07:Schack-Radius" (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Calling-Station-Id = "8C-85-90-86-02-F8" (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) Acct-Session-Id = "7E6FCAA312B559DD" (3) Acct-Multi-Session-Id = "514DA94808250535" (3) WLAN-Pairwise-Cipher = 1027076 (3) WLAN-Group-Cipher = 1027076 (3) WLAN-AKM-Suite = 1027073 (3) Framed-MTU = 1400 (3) EAP-Message = 0x029b00060319 (3) State = 0xb7ab73e6b7307e049cc58c8fe41ba75d (3) Message-Authenticator = 0x9022c329b8e6b424f42bf8e53d3001df (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) [preprocess] = ok (3) eap: Peer sent EAP Response (code 2) ID 155 length 6 (3) eap: Ignoring NAK with request for unknown EAP type (3) [eap] = noop (3) [expiration] = noop (3) [logintime] = noop (3) } # authorize = ok (3) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (3) Failed to authenticate the user (3) Using Post-Auth-Type Reject (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Post-Auth-Type REJECT { (3) attr_filter.access_reject: EXPAND %{User-Name} (3) attr_filter.access_reject: --> henrik.schack (3) attr_filter.access_reject: Matched entry DEFAULT at line 11 (3) [attr_filter.access_reject] = updated (3) eap: Expiring EAP session with state 0xb7ab73e6b7307e04 (3) eap: Finished EAP session with state 0xb7ab73e6b7307e04 (3) eap: Previous EAP request found for state 0xb7ab73e6b7307e04, released from the list (3) eap: Request was previously rejected, inserting EAP-Failure (3) eap: Sending EAP Failure (code 4) ID 155 length 4 (3) [eap] = updated (3) policy remove_reply_message_if_eap { (3) if (&reply:EAP-Message && &reply:Reply-Message) { (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (3) else { (3) [noop] = noop (3) } # else = noop (3) } # policy remove_reply_message_if_eap = noop (3) } # Post-Auth-Type REJECT = updated (3) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (3) Sending delayed response (3) Sent Access-Reject Id 227 from 142.93.141.56:1812 to 176.23.5.126:34447 length 44 (3) EAP-Message = 0x049b0004 (3) Message-Authenticator = 0x00000000000000000000000000000000 --cut-- /Henrik On Sun, Jun 6, 2021 at 11:11 AM Henrik Schack <henrik@schack.dk> wrote:
Yes, I have come that far, but my Mac still wants to do some username/password authentication on top of that. I have the CA running, CA cert on my Mac, and a client cert installed as well.
Br Henrik
On Sun, Jun 6, 2021 at 11:07 AM Michael Schwartzkopff <ms@sys4.de> wrote:
On 06.06.21 11:00, Henrik Schack via Freeradius-Users wrote:
Great, you wouldn't happen to have a configuration example ?
/Henrik
On Sun, Jun 6, 2021 at 10:42 AM Michael Schwartzkopff <ms@sys4.de> wrote:
On 06.06.21 10:14, Henrik Schack via Freeradius-Users wrote:
Hi Is it possible to configure Freeradius to require only a valid TLS client cert created by own CA, in order to get an ACCEPT ?
/Henrik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes.
See sections tls-common and tls in the eap module.
Basically you have to enter the data about your CA and your server cert.
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Mvh/Best regards Henrik Schack Twitter: http://twitter.com/schack
-- Mvh/Best regards Henrik Schack Twitter: http://twitter.com/schack