Sven 'Darkman' Michels wrote: > Ok, i'll doublecheck that. But just a note: if i use the wrong cert and > see a NACK message in the log - then my ttls failed and i shouldn't see > a ldap query at all...?
It all depends on how you set up your configuration. > Or do i missunderstand something here? I just > want to make sure that my client is "my" client, and not a stranger. > Thats why i want the eap stuff (to force all "signed" by the clients > cert, and avoid password attacks and stuff like that). You can configure the LDAP queries to be run *only* after the TLS tunnel has been set up. See raddb/sites-available/inner-tunnel. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
