Config for TLS, TTLS and PEAP and subject validation
Daniel Bertolo
daniel.bertolo at switch.ch
Thu Aug 11 17:00:36 CEST 2011
Hi
I currently run FreeRADIUS 2.1.6 and have a working configuration for
EAP-TTLS and PEAP that is used for a WPA2 network. In addition to that,
I would like to allow our users to use their user certificate from a
public issuer to connect using EAP-TLS. This means that I have to check
if the subject contains our organisation. I read in previous threads
about checking the subject in the authenticate section:
authenticate {
Auth-Type eap {
eap
if (!"%{TLS-Client-Cert-Subject}" =~ /\/O=MyCompany\// ) {
reject
}
}
}
I have two questions about that:
- This would belong in the "outer" request as there is no inner request
with EAP-TLS, right?
- What happens to requests that don't provide a client certificate (the
users who still use EAP-TTLS or PEAP)?
In conclusion, is there a way to distinguish between EAP-TLS requests
and EAP-TTLS or PEAP requests? And if so, can I use a different server
section for EAP-TLS?
Thanks for help.
Best regards,
Daniel
More information about the Freeradius-Users
mailing list