Config for TLS, TTLS and PEAP and subject validation
Alan DeKok
aland at deployingradius.com
Thu Aug 11 23:13:11 CEST 2011
Daniel Bertolo wrote:
> I currently run FreeRADIUS 2.1.6
...
> authenticate {
> Auth-Type eap {
> eap
> if (!"%{TLS-Client-Cert-Subject}" =~ /\/O=MyCompany\// ) {
That won't work in 2.1.6. You need at least 2.1.10.
> - This would belong in the "outer" request as there is no inner request
> with EAP-TLS, right?
Yes.
> - What happens to requests that don't provide a client certificate (the
> users who still use EAP-TTLS or PEAP)?
The TLS-Client-Cert-Subject is empty. You will need to check for EAP-TLS:
if ((EAP-Type == EAP-TLS) && \
(%{TLS-Client-Cert-Subject}" !~ /\/O=MyCompany\//)) {
...
> In conclusion, is there a way to distinguish between EAP-TLS requests
> and EAP-TTLS or PEAP requests? And if so, can I use a different server
> section for EAP-TLS?
Yes, and no.
Alan DeKok.
More information about the Freeradius-Users
mailing list