EAP-TLS and user name

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Fri Jul 25 14:18:46 CEST 2014


> So some explanation about the relation between EAP-TLS and the user store 
> would be great...
> Many thanks in advance.

client has a cert. server has a cert. client trusts server cert, server trusts client cert.
its all certificates.

yes, without further policies in place, if the client has a cert that is known/trusted
by the RADIUS server then they are online. mutual certificate authentication.

the users file is looked at - you see that, with the noops  - if you want
to control the user there are methods that use the users file - with freeradius 2 and
3 (especially 3) there is a new TLS handler that allows you to use unlang to
define policies based on items in the client certificate.

you can also use CRL/OSCP to block a client certificate...it is PKI after all..


More information about the Freeradius-Users mailing list