Walter Reynolds <[EMAIL PROTECTED]> wrote: > What I am trying to figure out is a way to not only have a certificate, > but a secondary way to verify that that certificate is being used by a > person we allow.
Passwords. > Is this something that can be done? Has anyone run into a similar problem > and what did they do? I know we could go TTLS and not have a machine > cert, but then we get fears of man-in-the-middle. I would suggest a self-signed server cert, and a client certificate. You can use EAP-TLS-Require-Client-Cert to force a particular session to require a client cert. This works for TTLS, too. The server will then verify that the client cert is signed by the cert it has, which should prevent man in the middle attacks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
