Hi,
So some explanation about the relation between EAP-TLS and the user store would be great... Many thanks in advance.
client has a cert. server has a cert. client trusts server cert, server trusts client cert. its all certificates. yes, without further policies in place, if the client has a cert that is known/trusted by the RADIUS server then they are online. mutual certificate authentication. the users file is looked at - you see that, with the noops - if you want to control the user there are methods that use the users file - with freeradius 2 and 3 (especially 3) there is a new TLS handler that allows you to use unlang to define policies based on items in the client certificate. you can also use CRL/OSCP to block a client certificate...it is PKI after all.. alan