EAP-TLS without client authentication

Christopher Byrd chris at riosec.com
Thu Jan 8 06:13:40 CET 2009

This may sound like a strange request, but I'd like to know if it is
possible to use FreeRADIUS to perform EAP-TLS without asking for a
client certificate.  The purpose is to allow for a secure connection
to an access point without client authentication.  I think this might
be useful to replace "open wireless" for public wireless access with
something more secure.

According to the EAP-TLS RFC (rfc2716), it sounds like it might be possible:
"The certificate_request message is included when the server desires
the client to authenticate itself via public key. While the EAP server
SHOULD require client authentication, this is not a requirement, since
it may be possible that the server will require that the peer
authenticate via some other means."

I tried this with FreeRADIUS and eapol_test (from wpa_supplicant) with
the following result:

[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.

The only change I've made from the default eap.conf is to try
disabling  the CA_file setting (I've tried it both ways).

Does it sound like this is something that should be possible, or am I off base?



More information about the Freeradius-Users mailing list