PEAP + EAP-TLS: client certificates

Vieri rentorbuy at yahoo.com
Thu Oct 22 15:27:08 CEST 2009



--- On Thu, 10/22/09, Vieri <rentorbuy at yahoo.com> wrote:

> From: Vieri <rentorbuy at yahoo.com>
> Subject: Re: PEAP + EAP-TLS: client certificates
> To: freeradius-users at lists.freeradius.org
> Date: Thursday, October 22, 2009, 9:05 AM
> 
> --- On Thu, 10/22/09, Ivan Kalik <tnt at kalik.net>
> wrote:
> 
> > > If I install a self-signed certificate on
> another
> > Windows client and
> > > connect via EAP-TLS then I can connect without
> having
> > to use an Active
> > > Directory user, as expected.
> > >
> > > I'm wondering if I can *require* both a
> certificate on
> > the client machine
> > > AND an AD user authentication. In other words,
> how can
> > I *require*
> > > PEAP-EAP-TLS? (currently, my freeradius
> configuration
> > seems to require
> > > PEAP OR EAP-TLS)
> > >
> > > Freeradius version: 2.0.5
> > 
> > Don't know about that version. It should say how to
> require
> > certificates
> > for peap in eap.conf above peap section.
> 
> Is this the option?
> EAP-TLS-Require-Client-Cert = Yes
> I'm not sure where I should place it.

If in eap.conf I have:
peap {
...
virtual_server = "inner-tunnel"
}
then maybe I should edit sites-available/inner-tunnel and add:
server inner-tunnel {
...
authorize {
...
update control {
...
EAP-TLS-Require-Client-Cert = Yes
}
}
}

Is this correct?



      



More information about the Freeradius-Users mailing list