João Alves wrote:
I currently have a freeradius setup where the client authenticates using username/password. My goal is to authenticate the user using a client certificate (using EAP-TLS),
Which doesn't use passwords.
however, I would still like to maintain the username/password authentication.
And is therefore impossible.
Preferably the flow would be something like this:
1.User authenticates to radius_server_1 using EAP_TLS 2.radius_server_1 after authenticating the client (and only if authentication is sucessful) forwards a request to radius_server_2 with the client username/password 3.radius_server_2 authenticates client
So only if both radius_server_1 and radius_server_2 authenticate the client is the client granted access.
What you're describing is EAP-TTLS with client certificates. That is possible. Alan DeKok.