howto EAP-TLS on freeradius 2.0.2-3 ??

Joel MBA OYONE mba_oyone at
Mon May 19 01:10:17 CEST 2008

So i really wonder where is the problem !!!
maybe it is due to the hardware i use...

my switch is wireless controller -all AP rceive their config (RF, SSID, channels, Power Radio, security styuffs, etc..) from the switch. so when RADIUS authentication is set-up, every AP have to be authenticated by Freeradius before receiving the correct parameters by FR, using its @MAC as login and the word NOPASSWORD as password (that the theoroy said. cause i had to set Auth-Type := Accept to make it work). at this stage, authenticator is the wireless switch. it works with or without 802.1x ON. it work fine, and the AP are well manged by a centralpoint. no RADIUS problem with AP authetication.

- step2:
when an AP is recognized, end-users have to be autneticated too by RADIUS. this step, like the documentation says, the managed AP becomes "Authenticator". -so an entry exist for every AP in clients.conf too)

during the connection attempts, Radius receive acess request, and the correct certificate is chosen -he give me the correcte commonnameof certificate- but i think the supplicant (end-user on xp) never receive the access-challenge, even if it is sent by RADIUS Server.

i don't know if i am well understood or if I "do" misundertood something but it works like that at me now.

i installed, reinstalled and formated so much time that i am convincedthat i won't success alone.
Hey Ivan, won't you try to help me to fix this stone? i have definitely nodelay anymore, and no solution too. Freeradius is your own and i ma pretty sure that we could both fix the problem between a quarter or a half if you take fulll remote control of my computer and network, assisting you and telling my purpose. 

thanx for help.

----- Message d'origine ----
De : Ivan Kalik <tnt at>
À : FreeRadius users mailing list <freeradius-users at>
Envoyé le : Lundi, 19 Mai 2008, 0h37mn 23s
Objet : RE: Re : Re : Re : howto EAP-TLS on freeradius 2.0.2-3 ??

>Ok, we assume my certificates are corrects.
>So i have some more questions:
>- Certificate should be import for user accounts or for computer account ?

Who/what ever is you supplicant trying to authenticate. If the supplicant
can't find the correct certificate it will give up.

>- i use the file "users" as database for my accounts; when using eap-tls
>when trying eap-peap my accounts looks like that:
>>> johndoe     Auth-Type: = EAP, User-Password == �test1234"
>>>                      Tunnel-Type = 13,
>>>                      Tunnel-Medium-Type = 6,
>>> johndoe       User-Password == �test1234"
>>>                      Tunnel-Type = 13,
>>>                      Tunnel-Medium-Type = 6,

No, don't use Auth-Type. Use Cleartext-Password or NT-Password (names
clearly suugest are they encrypted and how) with mschap.

>- when i use eap-tls, it looks like that:
>>> johndoe 
>>>          Tunnel-Type = 13,
>>>          Tunnel-Medium-Type = 6,
>and sometimes, i add add the assignment of Vlan by using the attribute '
Tunnel-Private-Group-ID = 100" -vlan 100 is affected to the ssid i am
interested in-
>is it correct?

It will work, but it's more common to use "human" values (VLAN and

Ivan Kalik
Kalik Informatika ISP

List info/subscribe/unsubscribe? See

Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités Yahoo! Mail 

More information about the Freeradius-Users mailing list