Norbert Wegener wrote: > If the client's certificate is expired, eap/tls will, of course, fail. > In this case a guest vlan shall be assigned to the client.
I'm not sure that's good enough. The client may not believe it was successfully authenticated until the TLS session is properly finished. > Having a module, that adds the needed radius-attributes seems to work, > if an additional Auth-Type += Accept is added. > Doing this, the eap-tls is short-circuited and may result in a: > > Incoming RADIUS packet did not have correct Message-Authenticator - dropped > message > on the client side. Try adding a Message-Authenticator to the reply. Any value will do, as it will be re-calculated when the packet is sent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
