Graham Leggett wrote:
I have a client certificate on the client PC already. This client certificate is trusted by a CA certificate, which is set under the "CA_file" option in the tls section of the eap configuration in freeradius.
OK.
I have a routerboard offering a wifi interface, and this routerboard offers me just one single radius option called "passthrough". I understand that this means that an attempt will be made for the client PC to pass the EAP through to the radius server.
If you say so.
What I want to happen is that the client PC makes an attempt to connect to the wireless network, and based on the fact that a valid client certificate is present, connection is established automatically using EAP-TLS.
Which requires the client to be configured to do that.
Ideally I would like to lookup the DN of the certificate in a database of some kind and accept or deny the connection, but at this point I'm focusing just on the most basic capability at this point - EAP-TLS.
What do I need to do to the freeradius server to make this possible?
You've done it all.
Do I need to switch off everything except for the tls section to stop freeradius trying to offer other EAP methods and confusing the client?
No. For detailed instructions on EAP-TLS, see: http://freeradius.org/doc/ Alan DeKok.