PEAP correct client certificate
Brian Julin
BJulin at clarku.edu
Mon Nov 20 22:27:32 CET 2017
Alan DeKoK wrote:
> On Nov 20, 2017, at 3:58 PM, Brian Julin <BJulin at clarku.edu> wrote:
> > What I'm talking about here is the same server serving both PEAP clients with certificates
> > and PEAP clients without certificates, and still being able to access the TLS-Client-* variables
> > in post-auth if/when the client did provide a cert.
>
> Yes, that works. I've tested it.
>
> If you require a client cert for user A, you *don't* need to require a client cert for user B.
Oh... are you talking about setting the EAP-TLS-Require-Client-Cert control item?
If so, the problem with that is: how do you know when to do that? It's undoubtably a useful
feature for people who have a reliably consistent database of all identifiers that should
present a cert, but in some environments that's just too chaotic to pull off... e.g. when users
can nuke and reinstall an OS or multi-boot.
Anyway I didn't mean to derail the user list. I could take this to a github issue unless there's
a better place for wishlist stuff. Thanks for the clarifications.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list