about "freeradius accepts anybody"
Sergio Yébenes Moreno
sergioyebenes at alumnos.upm.es
Fri Jul 11 15:00:50 CEST 2008
Fernando escribió:
> Sergio Yébenes Moreno wrote:
>> Fernando escribió:
>>>
>>> let me see... at this time... can all client with a valid
>>> certificate gain access to the network?
>>>
>>> Sergio Yébenes Moreno wrote:
>>>> Fernando escribió:
>>>>>
>>>>> I don't understand, what is your goal?
>>>>>
>>>>> Sergio Yébenes Moreno wrote:
>>>>>> Using eap-tls we can make a "filter" to users, based on different
>>>>>> attibutes (I think). In my case, the "identity" field in
>>>>>> wpa_supplicant.conf.
>>>>>>
>>>>>> Freeradius config:
>>>>>>
>>>>>> file users contains this
>>>>>> .....
>>>>>> .....
>>>>>> $INCLUDE autorizados
>>>>>> DEFAULT Auth-Type := Reject
>>>>>> Reply-Message = "out"
>>>>>> ......
>>>>>> ......
>>>>>>
>>>>>> file autorizados contains this
>>>>>> "user1" Cleartext-Password := ""
>>>>>> Reply-Message = "Autorizando....."
>>>>>> Fall-Through = No
>>>>>> "user2" ............
>>>>>> ...........
>>>>>>
>>>>>> I had to make this because I'm not the signer of client
>>>>>> certificates, only for server. I hope that somebody will help this.
>>>>>> -
>>>>>> List info/subscribe/unsubscribe? See
>>>>>> http://www.freeradius.org/list/users.html
>>>>>>
>>>>>
>>>>> -
>>>>> List info/subscribe/unsubscribe? See
>>>>> http://www.freeradius.org/list/users.html
>>>>>
>>>>>
>>>>> __________ Información de NOD32, revisión 3257 (20080710) __________
>>>>>
>>>>> Este mensaje ha sido analizado con NOD32 antivirus system
>>>>> http://www.nod32.com
>>>>>
>>>>>
>>>>>
>>>> To use eap-tls with client certs signed by a public CA. Public CA
>>>> means that I can't do anything with this. But I don't want that
>>>> everybody comes to my network. I know that my english isn't very
>>>> clear, but I think it's very simple. Clients are in a public PKI.
>>>> Servers are in my own PKI. Clients trust in my PKI, servers trust
>>>> in this public PKI. But servers only authorize some users.
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>>
>>> __________ Información de NOD32, revisión 3257 (20080710) __________
>>>
>>> Este mensaje ha sido analizado con NOD32 antivirus system
>>> http://www.nod32.com
>>>
>>>
>>>
>> No. Only if they are in "autorizados" file. I've checked it with
>> wpa_supplicant, changing the "identity" field, but with the same
>> certificate. The certificate are signed by a public CA. Its the DNIe
>> in Spain. Probably you know it. Because of this, I should have a
>> "filter" to users. This is my proyect at university. To use DNIe in
>> my home network aren't in my objectives.
>> -
> anyone that has a DNIe can access to your home network. I mean that
> you must have two phases first user authentication with DNIe and
> other a process of authorization. You do the authorization process
> with the file "autorizados". So, what is the problem?
>
>
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> __________ Información de NOD32, revisión 3257 (20080710) __________
>
> Este mensaje ha sido analizado con NOD32 antivirus system
> http://www.nod32.com
>
>
>
first, freeradius looks in users file, and only if client is authorized,
checks DNIe. There aren't any problem, only want to show, maybe help
somebody, and to show Ivan Kalik how clients and servers can trust in
different ca's.
Thanks for reading me
More information about the Freeradius-Users
mailing list