about "freeradius accepts anybody"

Sergio Yébenes Moreno sergioyebenes at alumnos.upm.es
Fri Jul 11 13:10:51 CEST 2008 

Fernando escribió:
>
> let me see... at this time...  can all client with a valid 
> certificate  gain  access to the network?
>
> Sergio Yébenes Moreno wrote:
>> Fernando escribió:
>>>
>>> I don't understand, what is your goal?
>>>
>>> Sergio Yébenes Moreno wrote:
>>>> Using eap-tls we can make a "filter" to users, based on different 
>>>> attibutes (I think). In my case, the "identity" field in 
>>>> wpa_supplicant.conf.
>>>>
>>>> Freeradius config:
>>>>
>>>> file users contains this
>>>> .....
>>>> .....
>>>> $INCLUDE autorizados
>>>> DEFAULT    Auth-Type := Reject
>>>>                     Reply-Message = "out"
>>>> ......
>>>> ......
>>>>
>>>> file autorizados contains this
>>>> "user1"    Cleartext-Password := ""
>>>>                Reply-Message = "Autorizando....."
>>>>                Fall-Through = No
>>>> "user2" ............
>>>> ...........
>>>>
>>>> I had to make this because I'm not the signer of client 
>>>> certificates, only for server. I hope that somebody will help this.
>>>> -
>>>> List info/subscribe/unsubscribe? See 
>>>> http://www.freeradius.org/list/users.html
>>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See 
>>> http://www.freeradius.org/list/users.html
>>>
>>>
>>> __________ Información de NOD32, revisión 3257 (20080710) __________
>>>
>>> Este mensaje ha sido analizado con NOD32 antivirus system
>>> http://www.nod32.com
>>>
>>>
>>>
>> To use eap-tls with client certs signed by a public CA. Public CA 
>> means that I can't do anything with this. But I don't want that 
>> everybody comes to my network. I know that my english isn't very 
>> clear, but I think it's very simple. Clients are in a public PKI. 
>> Servers are in my own PKI. Clients trust in my PKI, servers trust in 
>> this public PKI. But servers only authorize some users.
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
>
> __________ Información de NOD32, revisión 3257 (20080710) __________
>
> Este mensaje ha sido analizado con NOD32 antivirus system
> http://www.nod32.com
>
>
>
No. Only if they are in "autorizados" file. I've checked it with 
wpa_supplicant, changing the "identity" field, but with the same 
certificate. The certificate are signed by a public CA. Its the DNIe in 
Spain. Probably you know it. Because of this, I should have a "filter" 
to users. This is my proyect at university. To use DNIe in my home 
network aren't in my objectives.

More information about the Freeradius-Users mailing list