"[eap] = reject" after "Calling eap_md5 to process EAP data"

Alan DeKok aland at deployingradius.com
Tue Jul 7 23:18:21 CEST 2015


On Jul 7, 2015, at 4:23 PM, Kris Armstrong <kris.armstrong at me.com> wrote:
> Ok I see that.  I assume the username is coming from this portion of the client.cnf?

  In a way.  That file is used to create the certificate.  The common name of the certificate then becomes the EAP-Identity and the User-Name.

> I would have expected FR3 to ignore UserID/PWD when using EAP/TLS Certificates???

  It doesn't need passwords.  It *does* need User-Name, for things like proxying.

>  if it doesn’t do I have to create a username for each client cert? 

  No.  But you *do* need to tell FreeRADIUS that the realm (i.e. domain name) is local, and that it shouldn't be stripped from the User-Name.  See raddb/proxy.conf.  This is documented.

> Or is there a conf file that I need to modify to work with EAP/TLS?

  No.

  Alan DeKok.




More information about the Freeradius-Users mailing list