about "freeradius accepts anybody"

Sergio Yébenes Moreno sergioyebenes at alumnos.upm.es
Fri Jul 11 16:19:36 CEST 2008 

Fernando escribió:
> Sergio Yébenes Moreno wrote:
>> Ivan Kalik escribió:
>>>> Ok. DNIe gives PUBLIC access control, to a public network 
>>>> (university, madrid Wifi (jeje, gallardón va de rey alcalde) etc), 
>>>> Dinamic keys, and all in 802.1x and, in consequence, 802.11i. But 
>>>> probably we don't want everybody in this network.Surely we hadn't 
>>>> spend money and time issuing certificates to clients. Because of 
>>>> this, we have "autorizados" file. Then, we only should issue 
>>>> certificates to radius. Clients trust in my CA, and radius trust in 
>>>> "ministerio del interior" jejeje, that sings certificates for 
>>>> everybody in Spain.
>>>>     
>>>
>>> I can see where you are heading with this. You want to use
>>> usernames/passwords *and* check client certificates. Freeradius doesn't
>>> support this. That is called PEAP-EAP-TLS and is supported in
>>> Microsoft-only networks.
>>>
>>> Ivan Kalik
>>> Kalik Informatika ISP
>>>
>>> -
>>> List info/subscribe/unsubscribe? See 
>>> http://www.freeradius.org/list/users.html
>>>
>>>
>>> __________ Información de NOD32, revisión 3257 (20080710) __________
>>>
>>> Este mensaje ha sido analizado con NOD32 antivirus system
>>> http://www.nod32.com
>>>
>>>
>>>
>>>   
>> I don't want to use passwords. Only want to use what at this time is 
>> working: public domain eap-tls, but only students of an university, 
>> for example. Probably there are better methods to do this, but this 
>> works. I promise..... "identity" field in wpa_supplicant and cert's 
>> "commonName" in winXP clients.
>> Now  I want to put 3 virtual server, one for DNIe and one for another 
>> public CA (FNMT) that have less range than DNIe. I'd like to ask you, 
>> if you know. "authorize" section supports unlang and we can use 
>> User-Name, for example, to authenticate in any virtual server. I 
>> suspect that I can't do this based on signer of client certificate. 
>> The point is that common name in certificates signed by FNMT comes 
>> with a prefix well-known, and DNIe CommonName comes with a suffix 
>> well-known. I don't know how to begin.....hints file, sites-enabled, 
>> regular expressions....Freeradius virtual servers documentation shows 
>> virtual server based on IP, access points, server pools, but nothing 
>> about user credentials.....
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
> mmmm.... Do you want authenticate people at different servers?.  Use a 
> proxy.
>
>
>              CLIENT ------------------> PROXY RADIUS 
> ------------------> DNIe AUTH
>                                                                         
>   ------------------> MY CA AUTH
>
> ok?
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
>
> __________ Información de NOD32, revisión 3257 (20080710) __________
>
> Este mensaje ha sido analizado con NOD32 antivirus system
> http://www.nod32.com
>
>
>
proxy radius is a good idea specially if the network is big. I think but 
also think that I can do this with hints file and virtual servers, 
although I don't understand it yet. If I achieve this surely try what 
you say. I have 3 or 4 months to do this

More information about the Freeradius-Users mailing list