On Jan 4, 2018, at 12:06 AM, R.Geller <rg1@robertgeller.net> wrote:
I blew away all my configs, and running vanilla 3.0.13 from yum install. I am using out-of-the-box configs, and created users and clients file. I created certificate files, and I also tested with eapol_test
That's good.
I can authenticate with windows 10 client with no issues at this point. I created certificates based on README instructions with new install, and verified that I can connect with eap_test using ttls-eap-mschapv2 and others (ttls-pap)...
That's good/
At this point, I would like to lock down the authentication so that either the client cert is required, or authorized MAC. I did configure the authorized mac previously which was working, but stopped working, and I think the reason it stopped working prior had nothing to do with the MAC configs, but because the CA/CERTs I created expired.
Don't guess. Figure out the problem.
They are not expired now since I created them with a new EXPIRE date, but what is happening is that the clients/supplicant I am testing with can authenticate without the root/client certs installed.
Only if you configure the clients to do that.
I would rather authenticate with certificates, and not rely on authorized MACs at this point...
Can you point me in the direction of how to configure the radius server to only authenticate if the client certificate is installed?
Configure EAP-TLS, and disable all other EAP types. And be *methodical* about changes to the config. Make a change. Test it. Make a backup of the config. One of the top 3 reasons why people screw up their config is by making random changes without testing them, or without understanding what the changes do. And, it wastes enormous amounts of time. Alan DeKok.