Alan, I have CentOS 7.1 so the upgrade of the radius package is quite complicated, but I'll try. Could you guide me please, against what attribute I should check the client certificate for eap-tls mode? Thank you very much Alan for your time and effort Gracian ______________________________________________________________
Od: Alan DeKok <aland@deployingradius.com> Komu: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Datum: 05.12.2015 20:33 Předmět: Re: Freeradius EAP-TLS - every 2nd (even) attempt unsuccessfull
On Dec 5, 2015, at 1:40 PM, <gracian@centrum.cz> <gracian@centrum.cz> wrote: here is full (sorry for that) output of "radiusd -X" test during which an attempt was unsuccessfull again with tls cache disabled. As you can see below, there is not TLS-Client-Cert-Common-Name in the output so the check-eap-tls fails.
Upgrade to 3.0.10. And verify that the check *you added* for TLS-Client-Cert-Common-Name is correct. There is no way that simply disabling the "cache" entry causes authentication to fail. The default configuration does *not* have checks for TLS-Client-Cert-Common-Name. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>