Can you use TLS and Request users authentication as well

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Tue Apr 18 19:10:58 CEST 2006


Hi,

> that the cert was trusted.  The problem is coming from a university, we do 
> not have a way to control a users machine.  So a user could take that 
> certificate and put it onto a friends machine.  This friend may not be 

if the certificate (pkcs12 file) was password protected, then that password
would have to be enetered before it could be installed onto a windows machine
certificate store...or onto a MacOSX keychain...or used with Linux supplicant.

> Is this something that can be done?  Has anyone run into a similar problem 
> and what did they do?  I know we could go TTLS and not have a machine 
> cert, but then we get fears of man-in-the-middle.

surely you'd have your systems certificate put onto the hosts...so when they
associate to the network via TTLS then, if the cert doesnt match they get a
nice warning (or no connection at all depending on config). teach the users
never to ignore warnings (though we've all now had to suffer snakeoil certs
on local secure http servers, out of date SSL certs on public hot spots etc ;-)

alan



More information about the Freeradius-Users mailing list