On 11/30/2010 11:15 AM, Phil Mayers wrote:
On 30/11/10 16:10, Andrew Bovill wrote:
It just seems weird that nearly ALL of the suplicants I've used *require* me to give a username/password (or at least an Identifier + password) in addition to the unlocked certificate. Maybe a better question is: What's the point of the username/pass that's also being sent by the supplicant?
Well, the username goes into the EAP-Identity field. For example you might put:
user@home.org.com
...and be in a radius roaming federation like eduroam, but your certificate may contain:
cn=user,o=Home Org,...
...so you need to be able to specific a username.
Password is not used in EAP-TLS; the supplicants I've seen don't ask for it (Windows, MacOS, Linux/NetworkManager, Nokia E-series) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok, this makes more sense now. I think what was throwing me off was that the Android supplicant asks for the following when doing 802.1x EAP: EAP Method (I chose TLS) Phase 2 authentication (I left as none, but has things like CHAP, PAP, etc) CA cert user cert Identity Anonymous Identity Password It seemed to me that it wouldn't connect if I left the Identity blank, so that may be what was confusing me. I doesn't seem to me like there would be, but is there any way to have, say, a 'guest' certificate, that can be handed out to multiple people and be used simultaneously with EAP/TLS? --Andrew