On 30 Aug 2010, at 2:01 PM, Alan DeKok wrote:
If you want to use EAP-TLS, there are certain things you *must* configure on the end system. It can't magically obtain a client certificate. You need to provide one.
Let me start again. I have a client certificate on the client PC already. This client certificate is trusted by a CA certificate, which is set under the "CA_file" option in the tls section of the eap configuration in freeradius. I have a routerboard offering a wifi interface, and this routerboard offers me just one single radius option called "passthrough". I understand that this means that an attempt will be made for the client PC to pass the EAP through to the radius server. What I want to happen is that the client PC makes an attempt to connect to the wireless network, and based on the fact that a valid client certificate is present, connection is established automatically using EAP-TLS. Ideally I would like to lookup the DN of the certificate in a database of some kind and accept or deny the connection, but at this point I'm focusing just on the most basic capability at this point - EAP-TLS. What do I need to do to the freeradius server to make this possible? Do I need to switch off everything except for the tls section to stop freeradius trying to offer other EAP methods and confusing the client? Regards, Graham --