Logging config to get certificate details

Jim Potter j.potter at bathspa.ac.uk
Mon Mar 25 10:06:39 CET 2019

Hi Alan,

Thanks for the quick reply!

So doesn't the client return a PEAP request containing the MSCHAPv2 request
encrypted using the server certificate? My hope was that if a client device
wasn't using a cert at all, I could see the format of the reply or
something similar... but then if the clients are using whatever cert is
sent out, but not validating it, that wouldn't show up.

OK, so, plan B - if I set up a rogue access point (FreeRadius WPE or
similar with a self signed certificate), I could see who connects
regardless of the dubious cert, then chase them up. Would that work?

thanks again,


On Mon, 25 Mar 2019 at 08:55, Alan DeKok <aland at deployingradius.com> wrote:

> On Mar 25, 2019, at 4:53 AM, Jim Potter <j.potter at bathspa.ac.uk> wrote:
> >
> > We have a PEAP eduroam setup here, and I have a suspicion that not all
> our
> > users are using/validating the server certificate - I know we can set the
> > clients up to not use certificates and they can still connect fine. (I'm
> > not completely clear on the PEAP process and whether the clients are
> still
> > using the server cert but aren't validating it, or whether no cert is
> used
> > at all in this case).
>   You can't tell what the client is doing.
>   The server sends the certs to the client, and the client either
> validates them, or ignores them.  It doesn't tell the server what it's
> doing.
> > So what I'd like to find out is if I can set the server logging up to
> find
> > out about the certificates used by each client - whether a cert is being
> > requested, and if so, whether the certificate is being validated by the
> > clients. I know this is primarily a client issue, but I'm looking for
> signs
> > of this from the server so I can see how widespread this is. I've tried
> > auth_goodpass/auth_badpass (no luck), I'm not sure where next to look on
> > this - does anyone have any advice?
>   This information is available only on the client.  The client doesn't
> tell anyone else what it's doing.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


Jim Potter
User Platform Engineer
IT Services
Bath Spa University

T: 01225 876220
Visit www.bathspa.ac.uk
Join us on: Facebook <http://www.facebook.com/bath.spa.university>| Twitter
<https://twitter.com/#!/BathSpaUni>| YouTube
<http://www.youtube.com/BathSpaUniversity>| LinkedIn
Newton Park, Bath, BA2 9BN

Think before you print

If you have received this message in error, please notify us and remove it
from your system. Any views or opinions expressed in personal emails are
solely those of the author and do not necessarily represent those of Bath
Spa University. Neither Bath Spa University nor the sender accepts any
responsibility for viruses and it is your responsibility to scan this email
and any attachments for viruses.

More information about the Freeradius-Users mailing list