"[eap] = reject" after "Calling eap_md5 to process EAP data"
Alan DeKok
aland at deployingradius.com
Tue Jul 7 23:18:21 CEST 2015
On Jul 7, 2015, at 4:23 PM, Kris Armstrong <kris.armstrong at me.com> wrote:
> Ok I see that. I assume the username is coming from this portion of the client.cnf?
In a way. That file is used to create the certificate. The common name of the certificate then becomes the EAP-Identity and the User-Name.
> I would have expected FR3 to ignore UserID/PWD when using EAP/TLS Certificates???
It doesn't need passwords. It *does* need User-Name, for things like proxying.
> if it doesn’t do I have to create a username for each client cert?
No. But you *do* need to tell FreeRADIUS that the realm (i.e. domain name) is local, and that it shouldn't be stripped from the User-Name. See raddb/proxy.conf. This is documented.
> Or is there a conf file that I need to modify to work with EAP/TLS?
No.
Alan DeKok.
More information about the Freeradius-Users
mailing list