Re: free radius 1.1.6 -eap-tls authentication

CRL's are not the best way to conduct authorization for EAP-TLS, their control is too coarse when the goal is to enable/disable the use of valid certificates use for different purposes and don't let you assign other authorization info like what VLAN a user should be assigned to.
The only option that currently works for access to real authorization with EAP-TLS is to use the: 
check_cert_cn = %{User-Name}
option in the tls section of eap.conf so you can be sure the outer identity (User-Name) matches the inner identity in the certificate, its then valid to check User-Name against another source for authorization. If you don't perform this check you can't be sure the outer identity (User-Name) has any relation to the the identity represented by the certificate. This is only an option if your user certificates contain the unique "user id" you will lookup for authorization in the Common Name field, not in the Subject Alternative Name - Principle Name field (which many organizations use as their User certificate Common Names are not unique user identifiers). 

-Keith


On May 17, 2007, at 1:49 AM, Alan DeKok wrote:


anoop_c@sifycorp.com wrote:
1 Where will i find the log of the authentication like.... username login ok...or login failed 

  It's in "radius.log"
2 One user\'s certificate if I installed in other user\'s laptop it works.I want one user certificate should work in one laptop only. 

  There's no real way of doing that.  You *could* put the MAC address
into the certificate, and have the RADIUS server check that against the 
MAC address in the RADIUS request, but there's no guarantee that will
work.  It can be spoofed, and it can break valid configurations.
3 In users file i havn\'t added any certificate name as it is eap-tls.So if i want to remove the user from n/w i don\'t have control.Is ther any method like i can add the certificate names in users file then only it should work 

  Certificate revocation lists.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.