I've updated check-eap-tls to show where you also need to enable it to make it easier for others. Thanks.
Awesome! Thank you.
If you haven't already, check your config into git/svn/whatever so you can go back to a working version if you break it. It helps, really.
OK! I've been keeping backups and copies of the original files... The devs in my office run git, maybe I can jump on their server.
Just a last reminder that because you're using public certs, you need to be *very* careful you don't let unwanteds in. For example, check that another certificate with the subject something.acme.com from the same CA won't validate.
Yes, I am very concerned about this and will be working with one of our devs to get the right regex for that as well. Thanks for pointing that out.
Good you've got it working. FreeRADIUS has very flexible and powerful config but it can sometimes take a while to get your head around it when you're not doing the very basics.
Thank you again. I can tell it's a great piece of software. I'm coming at this from an 802.1X need, but the company I work for also does a lot of work with telecom providers and ISPs. Our products are analytic in nature (i.e. - line speed packet analysis, IP to endpoint matching, compliance, and reporting), so more packet analysis of RADIUS, not for operational use. Despite having resources that know how to gleam information from RADIUS packets, nobody deploys the service itself. If I want to learn more of what RADIUS can do outside of the 802.1X infrastructure, do you recommend the O'Reilly RADIUS book, or is that out of date? Thank You, Matthew West On Thu, Sep 15, 2016 at 2:25 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Thu, Sep 15, 2016 at 02:11:22PM -0700, Matthew West wrote:
Off to learning CRLs and removing all non-EAP-TLS authentication mechanisms.
If you haven't already, check your config into git/svn/whatever so you can go back to a working version if you break it. It helps, really.
After that, I should have the server functioning the way that was requested of me.
Just a last reminder that because you're using public certs, you need to be *very* careful you don't let unwanteds in. For example, check that another certificate with the subject something.acme.com from the same CA won't validate.
Thank you all for helping me along.
Good you've got it working. FreeRADIUS has very flexible and powerful config but it can sometimes take a while to get your head around it when you're not doing the very basics.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html