-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
Alan DeKok wrote: > Sven 'Darkman' Michels wrote: >> But this works only on freeradius 2.x, doesn't it? Actually i have 1.1.0 >> from SLES10... > > Download the binary Suse packages: http://freeradius.org/download.html > > 1.1.0 is *very* old. i noticed that, too :/ I upgraded last night to 2.0.2 and migrated the config. Now it looks a bit better. My default server does the tls tunneling and my inner-tunnel server is handling the ldap stuff. The only problem i had was "where to force the client cert when using eap/tls" - for now i just put it into the the authorize {} block: authorize { ... eap { ok = return } update control { EAP-TLS-Require-Client-Cert = yes } ... } which seems to work except that the cisco client simply don't offer a cert when using ttls. As far as i know, this requirement is not often met at any client (you posted some note about a while ago...) so we're calling cisco today to clearify how we can do maschine and user authentification with forced clientcert (i can only do ttls for maschine AND user/pw auth and not doing like tls for maschine and ttls for user/pw - their client doesn't support that - the new client just crashes when the server requires a cert, horray ;). Thanks for your help so far - the main issue was the old freeradius as it seems... Regards, Sven -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH61KRQoCguWUBzBwRAllMAJ9jP+KGH/6TboRMcUYAgi/SZN2aLgCfVw61 tQaYYdl4J63YABGefKO2q8s= =xS2p -----END PGP SIGNATURE----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html