Freeradius and client certificate support

Graham Leggett minfrin at sharp.fm
Mon Aug 30 13:17:24 CEST 2010


On 30 Aug 2010, at 9:00 AM, Alan DeKok wrote:

>> As a understand, what I am looking for is EAP-TLS, and I have  
>> attempted
>> to configure it against a mikrotik routerboard. I see the radius  
>> packet
>> entering the server, with the User-Name set to the MAC address of the
>> incoming client (mikrotik default behaviour).
>
>  Then it's likely not doing EAP-TLS.

Can you be more specific when you say "it's"?

The routerboard in the middle is configured to do "passthrough" of eap  
to the radius server, and the radius server is configured to say the  
following:

default_eap_type = tls

The client (MacOSX) seems to have no idea that either the NAS or the  
radius server wants to use EAP-TLS, and pops up a window asking for  
both a certificate, and a username and password.

Over and above the steps followed above, I am in the dark as to  
whether something else need to be done to make this work.

>> My next step is to suitably configure freeradius to accept the login
>> based on the attributes within the client certificate, and to  
>> accept any
>> User-Name, however I can find no documentation how to do this.
>
>  There is no documentation because you don't need to do anything.   
> When
> EAP-TLS is used, then any User-Name is accepted.

It would be useful if that was documented :)

>> Ideally, I would like the effective freeradius login name to be the  
>> DN
>> of the client certificate.
>
>  Then use EAP-TLS.  If the User-Name is the MAC, then you're not using
> EAP-TLS.

The "Username as MAC" behaviour seems to be mikrotik behaviour,  
without documentation I have no clear picture as to how this affects  
the login.

>> Does anyone know whether this is possible, and if so, what I need to
>> tell freeradius to make this happen?
>
>  Tell the *NAS* to ask for EAP.  Tell the *client PC* to use EAP-TLS.

Ok, now I am confused.

Am I correct in understanding that the client PC is not able to figure  
out for itself which type of EAP it should use, and that the end user  
has to manually set EAP-TLS for it work?

The reason I ask is that my client PC gives a number of checkboxes as  
to the types of EAP it will support, which implies that it's the  
radius server that specifies the type of EAP accepted, but if you're  
telling me that I must manually set this on the client PC, it would  
imply this is not possible.

Can you clarify for me if possible?

Regards,
Graham
--




More information about the Freeradius-Users mailing list