eap-tls with valid and fake certificates.

Martin Pauly pauly at hrz.uni-marburg.de
Fri Jan 17 13:44:24 CET 2020

Am 17.01.20 um 12:27 schrieb Matthew Newton:
> Yes, really, given the "only EAP-TLS" requirements above.

OK I got it. Behind one SSID, you can very well branch into different
EAP configs (actually I think , the first time I saw this was
10+ years ago in a post by Matthew :-) ).
But doing EAP-TLS does mean to exchange keys, no matter if
someone validates the client cert.

IMO, the OP confuses the cases
"no client cert at all" vs.
"client cert must present, but the is not validated".
You commented on the latter case, I on the former.

Thanks for clearing this up

   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5393 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20200117/21f2d1a6/attachment-0001.bin>

More information about the Freeradius-Users mailing list