We are switching to EAP-TLS for wireless authentication, and have everything in place with the exception of a Certificate Revocation Checking process. We would prefer to use OCSP, but it appears that freeRadius isn't supporting OCSP very well (it is either buggy or not feature rich). Specifically, it would appear that if you don't specify a URL (a responder override), freeRadius will not correctly pull the responder URL from the certificate. Verification then fails, and thus the user connection will not be established. We have multiple CAs, so hard coding in a single responder URL is not optimal. The other issue, is that a fail open option for freeradius also doesn't look to be officially supported, and is only provided via some user patch that won't likely work when the code is upgraded. A soft fail would allow users to be authenticated if a responder is unavailable, and presumably we can set some time out that is less than a user connection time out for this to occur.
With all of this preface, I have been looking for commercially supported radius platforms, and Radiator looks to be a really good option. I am not entirely they support the above options, but have inquired. Anyone have some good opinions on Radiator? As to our actual problems, we could be messing up the config, but I don't think so :) Thanks, Ryan Turner ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.