eap-tls with valid and fake certificates.
Matthew Newton
mcn at freeradius.org
Fri Jan 17 12:27:41 CET 2020
On Fri, 2020-01-17 at 12:06 +0100, Martin Pauly wrote:
> > > The Idea is to authenticate users with eap-tls with
> > > certficates. People without any certificate should use different
> > > vlan
> > > provided by Radius. Only supported authentication should be eap-
> > > tls. Is it possible to make authentication with eap-tls with
> > > certficates for valid users and some "guest vlan" for
> > > users
> > > which hasnt any or unknown certificates ?
>
> > It's not possible. If the device doesn't present a valid
> > certificate,
> > it won't authenticate. You can't force an "Accept" with EAP
> > methods.
>
> Really?
Yes, really, given the "only EAP-TLS" requirements above.
Both "without a certificate should be in a different VLAN" and "guest
VLAN for users without a certificate, or an unknown cert" are
impossible. EAP-TLS *requires* a valid certificate to authenticate.
> Couldn't you branch the processing based on the outer ID?
> Let all your well-managed users present some special outer id
> and treat the rest differently.
Don't trust the outer ID. Look at the certificate data after it's been
validated, for example by using the check-eap-tls virtual server.
--
Matthew
More information about the Freeradius-Users
mailing list