On Fri, Mar 30, 2012 at 1:07 PM, Heinrich, Sebastian <[email protected]> wrote: >> to have a happy client when checking the cert, the 'check certificate' needs >> to be ticked, >> the CN from the certificate should be in the 'server name' field and the CA >> ticked >> in the list of CA's. if you dont see the CA of the RADIUS server in that >> list, then >> you need to install tha CA into the clients trusted root certificate store... >> copy the .der to the client click on it...then choose to select where to put >> it... > >> (there are loads and loads of documents covering this scattered all over the >> internet.. >> some are newer than others...and so correct) > > All in all you can say that if I use PEAP-EAP-MS-CHAPv2 I don't need to > create certificates and put them in the FreeRADIUS Server.
No. >From wikipedia, "PEAP is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel." TLS always need a certificate. > There is nothing checked if you don't check the checkbox 'check certificate'. It doesn't CHECK for the certificate common name (CN) or certificate authority (CA), but it still uses the server certicate to create the TLS tunnel. > Actually the existing certificates in the certs subdirectory could be deleted > but the authentification would work? It would, if you DON'T use PEAP. If you ONLY use PAP or MSCHAPv2, then you don't need certificates. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
