Freeradius and client certificate support
Alan DeKok
aland at deployingradius.com
Mon Aug 30 14:41:47 CEST 2010
Graham Leggett wrote:
> I have a client certificate on the client PC already. This client
> certificate is trusted by a CA certificate, which is set under the
> "CA_file" option in the tls section of the eap configuration in freeradius.
OK.
> I have a routerboard offering a wifi interface, and this routerboard
> offers me just one single radius option called "passthrough". I
> understand that this means that an attempt will be made for the client
> PC to pass the EAP through to the radius server.
If you say so.
> What I want to happen is that the client PC makes an attempt to connect
> to the wireless network, and based on the fact that a valid client
> certificate is present, connection is established automatically using
> EAP-TLS.
Which requires the client to be configured to do that.
> Ideally I would like to lookup the DN of the certificate in a database
> of some kind and accept or deny the connection, but at this point I'm
> focusing just on the most basic capability at this point - EAP-TLS.
>
> What do I need to do to the freeradius server to make this possible?
You've done it all.
> Do I need to switch off everything except for the tls section to stop
> freeradius trying to offer other EAP methods and confusing the client?
No.
For detailed instructions on EAP-TLS, see:
http://freeradius.org/doc/
Alan DeKok.
More information about the Freeradius-Users
mailing list