eap-tls with valid and fake certificates.
aland at deployingradius.com
Fri Jan 17 13:47:21 CET 2020
On Jan 17, 2020, at 7:44 AM, Martin Pauly <pauly at hrz.uni-marburg.de> wrote:
> OK I got it. Behind one SSID, you can very well branch into different
> EAP configs (actually I think , the first time I saw this was
> 10+ years ago in a post by Matthew :-) ).
> But doing EAP-TLS does mean to exchange keys, no matter if
> someone validates the client cert.
Doing EAP-TLS, TTLS, PEAP, even EAP-MSCHAPv2.
> IMO, the OP confuses the cases
> "no client cert at all" vs.
> "client cert must present, but the is not validated".
> You commented on the latter case, I on the former.
It's all the same. If the NAS expects to see MS-MPPE keys, then the RADIUS server *must* send them. And, send the correct ones. Otherwise it won't work.
More information about the Freeradius-Users