TLS authentication works, but does not check usernames against 'users' file.

Andrew Bovill abovill at
Tue Nov 30 17:10:55 CET 2010

On 11/30/2010 11:05 AM, John McDonnell wrote:
>> -----Original Message-----
>> On Behalf Of Andrew Bovill
>>    Hi,
>> I'm trying to get WPA Enterprise EAP/TLS working with my wireless
>> router.  It appears that the TLS portion of the authentication works
>> (valid certificates give me a working connection) but it does NOT
>> appear
>> to actually be checking the username/password combination that is also
>> sent along the line.
>> I have followed the WPA_HOWTO as best I could (my clients are OS X and
>> Android and Gentoo, not Windows XP) but I can't figure out how to
>> 'fail'
>> an auth attempt with an invalid user/pass combination.
>> Here is the debug output:
>> Thanks for any advice.  I didn't want to start reconfiguring with a
>> shotgun :)
>> *snipped*
> IIRC, that is how EAP-TLS works. If the client has a valid certificate, it
> can connect.
> Check this previous message that is similar to what I think you are trying
> to do:
> tml
> -
> List info/subscribe/unsubscribe? See
Cool, I was wondering about that.

It just seems weird that nearly ALL of the suplicants I've used 
*require* me to give a username/password (or at least an Identifier + 
password) in addition to the unlocked certificate.  Maybe a better 
question is: What's the point of the username/pass that's also being 
sent by the supplicant?

--Andrew Bovill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list