Alan DeKok aland at
Fri Sep 23 21:30:23 CEST 2016

On Sep 23, 2016, at 3:20 PM, Peter Lesko <plesko at> wrote:
> I'm having a similar issue to the one described here:
> Currently, I can auth with just a signed cert, or just username/password
> I would like to enforce both, but I have been unable to determine the
> correct keywords/config after reading many forum posts, in addition to the
> comments provided in the default configuration


> I have attempted to add this config line to enforce signed certs in
> sites-available/default:
> EAP-TLS-Require-Client-Cert = yes
> This causes freeradius not to start for me though,

  The server produces an error message when run in debug mode.  Are you reading it?

  Or, maybe you're not even using debug mode.  Why not?

> and I'm pretty certain I
> have tried putting that in each block present in the file

  Don't "try hard".  Follow the documentation and examples.

  You CANNOT just put that text into the default virtual server, and expect it to work.  The format of that file is documented.  Please read "man unlang".

> As for requiring user/password auth, I have tried:
> DEFAULT EAP-Type == EAP-Type-TLS, Auth-Type := Reject
> Which causes freeradius to fail to load

  It may be useful to read the error message it produces.

> DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject
> Which still allows EAP-TLS only
> DEFAULT EAP-Type != PEAP, Auth-Type := Reject
> Which still allows EAP-TLS only as well
> Please advise

  Read the documentation and examples to see how the server works.  Don't invent your own syntax.

  In the "authorize" section, add:

	update control {
		EAP-TLS-Require-Client-Cert = yes

  Alan DeKok.

More information about the Freeradius-Users mailing list