TTLS and TLS
Alan DeKok
aland at deployingradius.com
Wed Mar 5 17:13:30 CET 2008
Wolfgang Burger wrote:
> I am trying to configure FreeRadius to require a Certificate AND a
> username/password to accept a User.
> My clients are Macs (10.4.11).
>
> I want TTLS to require a certificate so I've set:
> EAP-TLS-Require-Client-Cert := Yes
> in the control items of the request.
That should work, *if* the Mac client supports TTLS with a client
certificate.
> Now I set the client to do TLS (for the cert) and TTLS (for the password).
Can this even be done on a Mac?
> What I get is the log below.
>
> The Client does'nt send the certificate.
Well, that would mean that the client doesn't support sending a
certificate for TTLS. I'm not surprised, this is a fairly rare requirement.
> And how do I tell the server, that a valid certificate is not enough to
> get in?
> In the first log-file, you see that the client can disable ttls and
> still is accepted.
If you want to disable EAP-TLS, then do that:
...
DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject
...
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0007], Certificate
> rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal handshake_failure
> TLS Alert write:fatal:handshake failure
> TLS_accept:error in SSLv3 read client certificate B
> rlm_eap: SSL error error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
That's up to the client. If it doesn't give the server a certificate,
there's not much more that it can do.
Alan DeKok.
More information about the Freeradius-Users
mailing list