Artur Hecker <[EMAIL PROTECTED]> wrote: > oh.. so theoretically the server needs a "special" server certificate > enabling it to sign something, right? (with the right extensions, etc.)
Yes. See the tls{} configuration. It points to a server certificate. The client certificates are signed with this certificate. > yes ok. but if you just want to block a user for a while, you can still > apply the rest of the authorization, right? Yes. You can always block any user for any reason. > i think my problem is that i don't really know who does what in the > setup you present. rlm_eaptls checks the certificate - if it signed by > the server's certificate than the user is granted access - independently > of what? Independently of the user & password existing in a database. If you don't list usernames and passwords in a database, then the server has no way of authenticating users... unless you use certificates. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html