PEAP/TTLS and Client certificates
Hello, I want to set up a radius server which authenticates users only once they provide their username, password AND client certificate. Now, I've managed to get this to work, my only problem is that as TTLS and PEAP use TLS, the TLS module must be enabled and configured. By doing so, users can also log in with just a client certificate. My real question here is: Is it possible to somehow force everyone to use PEAP or TTLS with a client certificate, while rejecting users trying to connect purely through TLS with only a client certificate? Kind regards, Remy -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp... Sent from the FreeRadius - User mailing list archive at Nabble.com.
So a few weeks later and still not much further.. Has anyone got an idea how I could force PEAP sessions to supply client a client certificate? -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I already enabled said option, the only problem is that this doesn't enforce the use of PEAP with a client certificate, as the TLS module is enabled and configured, it allows you to log in with just a client certificate using TLS. What I want is to enforce the use of not just TLS but PEAP with a client cert. Suppose I should have made that clearer in my post, sorry about that. -Remy -- View this message in context: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp... Sent from the FreeRadius - User mailing list archive at Nabble.com.
rdeboer wrote:
I already enabled said option, the only problem is that this doesn't enforce the use of PEAP with a client certificate, as the TLS module is enabled and configured, it allows you to log in with just a client certificate using TLS. What I want is to enforce the use of not just TLS but PEAP with a client cert.
The solution is to disable EAP-TLS by disallowing it. In the "users" file, do: DEFAULT EAP-Type == EAP-Type-TLS, Auth-Type := Reject Alan DeKok.
participants (2)
-
Alan DeKok -
rdeboer