eap-tls with valid and fake certificates.

Matthew Newton mcn at freeradius.org
Fri Jan 17 12:27:41 CET 2020

On Fri, 2020-01-17 at 12:06 +0100, Martin Pauly wrote:
> > > The Idea is to authenticate users with eap-tls with
> > > certficates. People without any certificate should use different
> > > vlan
> > > provided by Radius. Only supported authentication should be eap-
> > > tls.  Is it possible to make authentication with eap-tls with
> > > certficates for valid users and some "guest vlan" for
> > > users
> > > which hasnt any or unknown certificates ?
> > It's not possible. If the device doesn't present a valid
> > certificate,
> > it won't authenticate. You can't force an "Accept" with EAP
> > methods.
> Really?

Yes, really, given the "only EAP-TLS" requirements above.

Both "without a certificate should be in a different VLAN" and "guest
VLAN for users without a certificate, or an unknown cert" are
impossible. EAP-TLS *requires* a valid certificate to authenticate.

> Couldn't you branch the processing based on the outer ID?
> Let all your well-managed users present some special outer id
> and treat the rest differently.

Don't trust the outer ID. Look at the certificate data after it's been
validated, for example by using the check-eap-tls virtual server.


More information about the Freeradius-Users mailing list