Can you use TLS and Request users authentication as well

Alan DeKok aland at
Wed Apr 19 20:45:31 CEST 2006

Walter Reynolds <waltr at> wrote:
> I knwo this.  But what prevents a user from just giving this password to 
> another.

  Nothing.  At some point, you have to admit that the only way you
"know" it's a particular user is because of the password.

  Certs won't solve this problem, and neither will passwords.

  It sounds like you don't need EAP-TTLS or anything else.  Instead,
you need to use one-time password cards (e.g. RSA or Cryptocard).
Then people can't give the password away to someone else.

> Maybe i need clarification.  With TLS, the user machine is checked based 
> on its requirement for a cert.  The server is checked by its cert as well. 
> Does the server cert have to be signed by the same server that signed the 
> supplicants cert? 

  Yes.  Or, the supplicant cert has to be signed by the server cert.

> And what if a public service (Verisign, Entrust.....)  was used.  If
> a supplicant tried to connect it would have the root ca in its
> keystore so no warning would be there.

  Yes.  There are limitations to existing technology.

> And what about using the built in Mac supplicant.  I see no way to input 
> the servers cert anyway.

  You could input it as a new "root" certificate.

> What am I missing?

  You're trying to solve a problem with technology that can't solve
the problem.

  For most what you're worried about, use one-time token cards, client
certificates signed by the server cert, and a self-signed server cert.
It won't address all of your concerns, but then again, no existing
technology will.

  Alan DeKok.

More information about the Freeradius-Users mailing list