Graham Leggett wrote:
As a understand, what I am looking for is EAP-TLS, and I have attempted to configure it against a mikrotik routerboard. I see the radius packet entering the server, with the User-Name set to the MAC address of the incoming client (mikrotik default behaviour).
Then it's likely not doing EAP-TLS.
My next step is to suitably configure freeradius to accept the login based on the attributes within the client certificate, and to accept any User-Name, however I can find no documentation how to do this.
There is no documentation because you don't need to do anything. When EAP-TLS is used, then any User-Name is accepted.
Ideally, I would like the effective freeradius login name to be the DN of the client certificate.
Then use EAP-TLS. If the User-Name is the MAC, then you're not using EAP-TLS.
Does anyone know whether this is possible, and if so, what I need to tell freeradius to make this happen?
Tell the *NAS* to ask for EAP. Tell the *client PC* to use EAP-TLS. Alan DeKok.