PEAP correct client certificate
Alan DeKok
aland at deployingradius.com
Mon Nov 20 13:21:34 CET 2017
On Nov 20, 2017, at 2:53 AM, Oliver Tollning <oliver at tollning.com> wrote:
> Since I only want to use PEAP I disabled every other authentication method by commenting out everything else in /sites-enabled/default. This works fine, since I cant connect with normal EAP anymore.
OK...
> I went through the process of creating my own certificate with openssl and set everything up in eap.conf under eap-tls{}. In peap{} I added EAP-TLS-Require-Client-Cert = Yes.
Why? Nothing in that file suggested you could do that.
> The problem is, that the client can connect to the server even though he doesnt have the correct client certificate.
>
> How can I tell the server to check the client certificate?
Read the comments in the "eap.conf" file. They tell you what to do.
The attribute has to go into the "control" list. See "man unlang".
e.g. Somewhere in the "authorize" section, add:
update control {
EAP-TLS-Require-Client-Cert = Yes
}
But be aware that many clients *cannot* do client certificates with PEAP.
Alan DeKok.
More information about the Freeradius-Users
mailing list