[EXT] Option to disable client certificate validation in freeradius server
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Mon Aug 19 17:52:55 CEST 2019
> On 19 Aug 2019, at 10:37, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Aug 19, 2019, at 9:58 AM, Brian Julin <BJulin at clarku.edu> wrote:
>> I did start to look at the prospect of adding such features, but only got as far as
>> writing up a gist.
>>
>> https://gist.github.com/skids/04cd1b47792a862755a7b0fddb89f34c
>
> That sounds reasonable.
>
> For v4, Arran has re-worked all of the TLS handling. The certificate checking, session caching, etc. is all handled in a specialized virtual server.
>
> So things which required code changes in v3 just require "unlang" policies in v4.
Need another config item "request_client_cert" and control attribute that changes whether the certificate is requested independently of whether it's required.
I can see requesting a certificate in every scenario might cause issues if the Windows/Andoid/macOS/iOS ever support multi-factor PEAP.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
More information about the Freeradius-Users
mailing list