TLS authentication works, but does not check usernames against 'users' file.

Phil Mayers p.mayers at imperial.ac.uk
Tue Nov 30 17:15:34 CET 2010


On 30/11/10 16:10, Andrew Bovill wrote:
>
> It just seems weird that nearly ALL of the suplicants I've used
> *require* me to give a username/password (or at least an Identifier +
> password) in addition to the unlocked certificate. Maybe a better
> question is: What's the point of the username/pass that's also being
> sent by the supplicant?

Well, the username goes into the EAP-Identity field. For example you 
might put:

user at home.org.com

...and be in a radius roaming federation like eduroam, but your 
certificate may contain:

cn=user,o=Home Org,...

...so you need to be able to specific a username.

Password is not used in EAP-TLS; the supplicants I've seen don't ask for 
it (Windows, MacOS, Linux/NetworkManager, Nokia E-series)



More information about the Freeradius-Users mailing list