Question about windowsXP(Odessey Client) + EAP-TLS with freeRADIUS
Hangjun He
elmerhe at yahoo.com.cn
Fri Dec 14 03:08:23 CET 2007
Yes. It sounds good.
Check common name in the certificate with databases(users or others).
John
s3b0 at gmx.de 写道:
> Hangjun He wrote:
> > And I use EAP-TLS and with correct certs. Even if I set wrong
> > username in Odessey Client, freeRADIUS will return
> > success.(check_cert_cn not set).
>
> EAP-TLS authenticates users based on certificates. It ignores the
> user name.
i think, thats not completely correct. when you use eap-tls, the username in the radius-packet is the common name of your certificate. so you can check in the users file against the common name, and reject specific common names...
if you set check_cert_cn to "yes", then the server will compare the common name of the certicate with the user-name in the radius packet (as i said, this is normally also the common name).
>
> > Can I let freeRADIUS to check if username in the users file or other
> > database? If not, reject user.
>
> Yes. Configure that:
>
> bob Auth-Type := Reject
>
> Alan DeKok.
>
Sebastian
--
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---------------------------------
天生购物狂,狂抢购物券,你还等什么!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071214/daa2cbcd/attachment-0001.html>
More information about the Freeradius-Users
mailing list