Hi Rich
On 2014-11-11, at 15:37 , Rich Graves <[email protected]> wrote:
> We are happily (within reason) supporting PEAP-MSCHAPv2. I would also like to
> start supporting EAP-TLS for certain clients.
>
> It seems safest to leave default_eap_type=peap and rely on supplicants
> configured for EAP-TLS (probably just MacOS and Windows 7+) to counter with
> EAP-Acknowledge(EAP-MD5). Does this work in practice?
That should work.
I have tested it with a client and they reported it working.
Obviously you will also need to configure FreeRADIUS to point to your
certificate authority using CA_file in eap.conf.
> (How) can I configure my certificate subject resolution such that EAP-TLS
> authenticated users follow exactly the same role+VLAN derivation logic as
> PEAP users?
That is all based on the username of the radius request.
While I don't have an example at hand if the subject of the certificate is
properly configured it should map to a username automatically in radius.
The eap module should take care of that if I am not mistaken.
> Do any other parts of the PacketFence FreeRADIUS (or beyond) configuration
> need to be altered to accommodate EAP-TLS?
It should only affect radius.
Let me know if you need a hand.
It should not be too complicated.
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
