forcing client certificate authentication during EAP-PEAP and EAP-TTLS
Michael Wang
mwang25 at gmail.com
Thu Aug 4 19:47:56 CEST 2005
Hi,
I was wondering if there is a way to configure the radiusd to force
the client to present his certificate during EAP-PEAP and EAP-TTLS.
(I know this is not necessary, but I need to do it anyways....)
I saw an interesting piece of code in eaptls_initiate() which
indicates someone was thinking about it:
/*
* If we're TTLS or PEAP, then do NOT require a client
* certificate.
*
* FIXME: This should be more configurable.
*/
if (handler->eap_type != PW_EAP_TLS) {
vp = pairfind(handler->request->config_items,
PW_EAP_TLS_REQUIRE_CLIENT_CERT);
if (!vp) {
client_cert = FALSE;
} else {
client_cert = vp->lvalue;
}
}
So it seems like radiusd will force client certificate authentication
during PEAP or TTLS if this particular value pair is set with
lvalue==1. But I don't see any code where the
PW_EAP_TLS_REQUIRE_CLIENT_CERT gets put into the config_items.
Can someone "in the know" comment?
I am looking at the source code from freeradius-1.0.4
Thanks,
Michael
More information about the Freeradius-Users
mailing list