TTLS and TLS

Alan DeKok aland at deployingradius.com
Wed Mar 5 17:13:30 CET 2008


Wolfgang Burger wrote:
> I am trying to configure FreeRadius to require a Certificate AND a
> username/password to accept a User.
> My clients are Macs (10.4.11).
> 
> I want TTLS to require a certificate so I've set:
>   EAP-TLS-Require-Client-Cert := Yes
> in the control items of the request.

  That should work, *if* the Mac client supports TTLS with a client
certificate.

> Now I set the client to do TLS (for the cert) and TTLS (for the password).

  Can this even be done on a Mac?

> What I get is the log below.
> 
> The Client does'nt send the certificate.

  Well, that would mean that the client doesn't support sending a
certificate for TTLS.  I'm not surprised, this is a fairly rare requirement.

> And how do I tell the server, that a valid certificate is not enough to
> get in?
> In the first log-file, you see that the client can disable ttls and
> still is accepted.

  If you want to disable EAP-TLS, then do that:

...
DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject
...

>   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0007], Certificate
>   rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal handshake_failure
> TLS Alert write:fatal:handshake failure
>     TLS_accept:error in SSLv3 read client certificate B
> rlm_eap: SSL error error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

  That's up to the client.  If it doesn't give the server a certificate,
there's not much more that it can do.

  Alan DeKok.



More information about the Freeradius-Users mailing list