On 30 Aug 2010, at 2:41 PM, Alan DeKok wrote:
Ideally I would like to lookup the DN of the certificate in a database of some kind and accept or deny the connection, but at this point I'm focusing just on the most basic capability at this point - EAP-TLS.
What do I need to do to the freeradius server to make this possible?
You've done it all.
The closest I've got is to use a MacOSX Snow Leopard machine, and manually specify EAP-TLS, and manually choose the certificate, but at that point I get this: Mon Aug 30 08:12:56 2010 : Error: TLS_accept:error in SSLv3 read client hello C Mon Aug 30 08:12:56 2010 : Error: rlm_eap: SSL error error: 140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized Mon Aug 30 08:12:56 2010 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Mon Aug 30 08:12:56 2010 : Error: rlm_eap: SSL error error: 00000000:lib(0):func(0):reason(0) Mon Aug 30 08:12:56 2010 : Error: rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. Mon Aug 30 08:12:56 2010 : Auth: Login incorrect: [snip-cn-of- certificate] (from client hotspot port 0 cli 34-15-9E-90-F7-5B) Do you know what a "session id context" is, and why one might be uninitialised?
For detailed instructions on EAP-TLS, see:
The only reference to EAP-TLS on the above page is under a section called "Older Documents". The first link is to a PDF file called EAPTLS.pdf, and these instructions tell you to go to "http://www.missl.cs.umd.edu/wireless/eaptls/ " for instructions on how to configure EAP-TLS in freeradius, and this URL no longer exists. The second link is entitled "Another eap-tls HOWTO", which again links to http://www.missl.cs.umd.edu/wireless/eaptls/, is broken as above. Is there any other mention of EAP-TLS in the documentation anywhere? Google wasn't able to find anything. Regards, Graham --