if i understand correctly, you only want to authenticate the network-side but not the client side.
i don't think that is possible for the simple reason: in 802.1X in some cases it would result in no authentication at all. client can not be forced to verify presented server certificate (as you know you have an option in windows XP not to check the server). so, supposed that the client doesn't check the network and using your option not to identify the client neither, you do not verify anybody's identity. anyway, this EAP stuff in 802.1X or PPP is all about network access control, i.e. the network tries to verify who accesses it. if you look at things like EAP/MD5 and EAP/OTP you will see that all these first ideas are not mutual (in the sense that the client doesn't know anything, but the network is sure whom it is serving - or at least debiting). so EAP/TLS was initially meant for the same thing. you can deactivate the authentication of the network but i don't think you can deactivate the auth of the client. what you need is something like EAP/TTLS or EAP/PEAP, i think... ciao artur wu zhen wrote: > > HI, All > > I know that FreeRadius could support EAP-TLS, which support mutual > authentication. I have tried it successfully with XP client. > > My question is whether we could make some configurations to FreeRadius > so that TLS only carry out unilateral authentication, not mutual > authentication (such as: client authenticate server certificate). As I > know, the EAP-TLS specification has an option to do that. > > Wu Zhen > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
