about "freeradius accepts anybody"

Sergio Yébenes Moreno sergioyebenes at alumnos.upm.es
Fri Jul 11 15:33:12 CEST 2008


Ivan Kalik escribió:
>> Ok. DNIe gives PUBLIC access control, to a public network (university, 
>> madrid Wifi (jeje, gallardón va de rey alcalde) etc), Dinamic keys, and 
>> all in 802.1x and, in consequence, 802.11i. But probably we don't want 
>> everybody in this network.Surely we hadn't spend money and time issuing 
>> certificates to clients. Because of this, we have "autorizados" file. 
>> Then, we only should issue certificates to radius. Clients trust in my 
>> CA, and radius trust in "ministerio del interior" jejeje, that sings 
>> certificates for everybody in Spain.
>>     
>
> I can see where you are heading with this. You want to use
> usernames/passwords *and* check client certificates. Freeradius doesn't
> support this. That is called PEAP-EAP-TLS and is supported in
> Microsoft-only networks.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> __________ Información de NOD32, revisión 3257 (20080710) __________
>
> Este mensaje ha sido analizado con NOD32 antivirus system
> http://www.nod32.com
>
>
>
>   
I don't want to use passwords. Only want to use what at this time is 
working: public domain eap-tls, but only students of an university, for 
example. Probably there are better methods to do this, but this works. I 
promise..... "identity" field in wpa_supplicant and cert's "commonName" 
in winXP clients.
Now  I want to put 3 virtual server, one for DNIe and one for another 
public CA (FNMT) that have less range than DNIe. I'd like to ask you, if 
you know. "authorize" section supports unlang and we can use User-Name, 
for example, to authenticate in any virtual server. I suspect that I 
can't do this based on signer of client certificate. The point is that 
common name in certificates signed by FNMT comes with a prefix 
well-known, and DNIe CommonName comes with a suffix well-known. I don't 
know how to begin.....hints file, sites-enabled, regular 
expressions....Freeradius virtual servers documentation shows virtual 
server based on IP, access points, server pools, but nothing about user 
credentials.....



More information about the Freeradius-Users mailing list