Freeradius and client certificate support
Graham Leggett
minfrin at sharp.fm
Mon Aug 30 14:30:54 CEST 2010
On 30 Aug 2010, at 2:01 PM, Alan DeKok wrote:
> If you want to use EAP-TLS, there are certain things you *must*
> configure on the end system. It can't magically obtain a client
> certificate. You need to provide one.
Let me start again.
I have a client certificate on the client PC already. This client
certificate is trusted by a CA certificate, which is set under the
"CA_file" option in the tls section of the eap configuration in
freeradius.
I have a routerboard offering a wifi interface, and this routerboard
offers me just one single radius option called "passthrough". I
understand that this means that an attempt will be made for the client
PC to pass the EAP through to the radius server.
What I want to happen is that the client PC makes an attempt to
connect to the wireless network, and based on the fact that a valid
client certificate is present, connection is established automatically
using EAP-TLS.
Ideally I would like to lookup the DN of the certificate in a database
of some kind and accept or deny the connection, but at this point I'm
focusing just on the most basic capability at this point - EAP-TLS.
What do I need to do to the freeradius server to make this possible?
Do I need to switch off everything except for the tls section to stop
freeradius trying to offer other EAP methods and confusing the client?
Regards,
Graham
--
More information about the Freeradius-Users
mailing list