thanks alan. it’s not freeradius related but might be interesting: EAP-TLS is working with a Cisco 7841 (v03) but not working with the 7841 (v04)…? so if someone has experience with that kind of phone it would be interesting. chris
On 20 Jul 2015, at 10:55 , Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
hi,
I’m trying to authenticate a Cisco IP Phone with 802.1X EAP-TLS. I added the Cisco root certs to the CA file and the CN name from the phone’s cert to the users file.
dont need to do that - its EAP-TLS - so long as the server likes the client cert (use OSCP, CRL or the EAP-TLS-CHECK module if you wish to change access-accept policies.
so long as the client has a cert known/trusted by the server...and the server has a cert from same CA and knows/trusts the CA, this pretty much works out of the box.
reasons it might not work? usually its because the client has the wrong time - thus the cert isnt valid yet...or has expired..usually the former
alan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html