Ttys/pap and Active Directory
Alan DeKok
aland at deployingradius.com
Thu Jul 9 22:36:09 CEST 2020
> On Jul 9, 2020, at 2:17 PM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> Did I understand the procedure correctly ?
> 1) In the eap module we specify the root certificate
> 2) Creating client certificates and signing with this root certificate
EAP-TLS requires client certificates. TTLS does not.
> 3) On the windows client we add our root certificate to trusted root certificates
> 4) On the Windows client we add the generated client certificates to the trusted personal certificates
For EAP-TLS. Not for TTLS.
> If this is true, does tttls/pap require certificates on the server and client ? I thought tttls/pap only requires certifications on the server
Doing *any* TLS requires that the Windows client knows about the root CA.
You *don't* need a client certificate for TTLS + PAP.
You *do* need a client certificate for EAP-TLS.
You *do* need a server certificate which is on FreeRADIUS. That server certificate *must* be signed by the root CA.
Alan DeKok.
More information about the Freeradius-Users
mailing list