Freeradius and client certificate support
Alan DeKok
aland at deployingradius.com
Mon Aug 30 09:00:28 CEST 2010
Graham Leggett wrote:
> As a understand, what I am looking for is EAP-TLS, and I have attempted
> to configure it against a mikrotik routerboard. I see the radius packet
> entering the server, with the User-Name set to the MAC address of the
> incoming client (mikrotik default behaviour).
Then it's likely not doing EAP-TLS.
> My next step is to suitably configure freeradius to accept the login
> based on the attributes within the client certificate, and to accept any
> User-Name, however I can find no documentation how to do this.
There is no documentation because you don't need to do anything. When
EAP-TLS is used, then any User-Name is accepted.
> Ideally, I would like the effective freeradius login name to be the DN
> of the client certificate.
Then use EAP-TLS. If the User-Name is the MAC, then you're not using
EAP-TLS.
> Does anyone know whether this is possible, and if so, what I need to
> tell freeradius to make this happen?
Tell the *NAS* to ask for EAP. Tell the *client PC* to use EAP-TLS.
Alan DeKok.
More information about the Freeradius-Users
mailing list