This may sound like a strange request, but I'd like to know if it is possible to use FreeRADIUS to perform EAP-TLS without asking for a client certificate. The purpose is to allow for a secure connection to an access point without client authentication. I think this might be useful to replace "open wireless" for public wireless access with something more secure.
According to the EAP-TLS RFC (rfc2716), it sounds like it might be possible: "The certificate_request message is included when the server desires the client to authenticate itself via public key. While the EAP server SHOULD require client authentication, this is not a requirement, since it may be possible that the server will require that the peer authenticate via some other means." I tried this with FreeRADIUS and eapol_test (from wpa_supplicant) with the following result: [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. The only change I've made from the default eap.conf is to try disabling the CA_file setting (I've tried it both ways). Does it sound like this is something that should be possible, or am I off base? Thanks! Christopher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
