Hi
I currently run FreeRADIUS 2.1.6 and have a working configuration for
EAP-TTLS and PEAP that is used for a WPA2 network. In addition to that,
I would like to allow our users to use their user certificate from a
public issuer to connect using EAP-TLS. This means that I have to check
if the subject contains our organisation. I read in previous threads
about checking the subject in the authenticate section:
authenticate {
Auth-Type eap {
eap
if (!"%{TLS-Client-Cert-Subject}" =~ /\/O=MyCompany\// ) {
reject
}
}
}
I have two questions about that:
- This would belong in the "outer" request as there is no inner request
with EAP-TLS, right?
- What happens to requests that don't provide a client certificate (the
users who still use EAP-TTLS or PEAP)?
In conclusion, is there a way to distinguish between EAP-TLS requests
and EAP-TTLS or PEAP requests? And if so, can I use a different server
section for EAP-TLS?
Thanks for help.
Best regards,
Daniel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
