about "freeradius accepts anybody"

Fernando fbernal at um.es
Fri Jul 11 11:44:43 CEST 2008 

Sergio wrote:
> Fernando escribió:
>> Sergio Yébenes Moreno wrote:
>>> Ivan Kalik escribió:
>>>>> Ok. DNIe gives PUBLIC access control, to a public network 
>>>>> (university, madrid Wifi (jeje, gallardón va de rey alcalde) etc), 
>>>>> Dinamic keys, and all in 802.1x and, in consequence, 802.11i. But 
>>>>> probably we don't want everybody in this network.Surely we hadn't 
>>>>> spend money and time issuing certificates to clients. Because of 
>>>>> this, we have "autorizados" file. Then, we only should issue 
>>>>> certificates to radius. Clients trust in my CA, and radius trust 
>>>>> in "ministerio del interior" jejeje, that sings certificates for 
>>>>> everybody in Spain.
>>>>>     
>>>>
>>>> I can see where you are heading with this. You want to use
>>>> usernames/passwords *and* check client certificates. Freeradius 
>>>> doesn't
>>>> support this. That is called PEAP-EAP-TLS and is supported in
>>>> Microsoft-only networks.
>>>>
>>>> Ivan Kalik
>>>> Kalik Informatika ISP
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See 
>>>> http://www.freeradius.org/list/users.html
>>>>
>>>>
>>>> __________ Información de NOD32, revisión 3257 (20080710) __________
>>>>
>>>> Este mensaje ha sido analizado con NOD32 antivirus system
>>>> http://www.nod32.com
>>>>
>>>>
>>>>
>>>>   
>>> I don't want to use passwords. Only want to use what at this time is 
>>> working: public domain eap-tls, but only students of an university, 
>>> for example. Probably there are better methods to do this, but this 
>>> works. I promise..... "identity" field in wpa_supplicant and cert's 
>>> "commonName" in winXP clients.
>>> Now  I want to put 3 virtual server, one for DNIe and one for 
>>> another public CA (FNMT) that have less range than DNIe. I'd like to 
>>> ask you, if you know. "authorize" section supports unlang and we can 
>>> use User-Name, for example, to authenticate in any virtual server. I 
>>> suspect that I can't do this based on signer of client certificate. 
>>> The point is that common name in certificates signed by FNMT comes 
>>> with a prefix well-known, and DNIe CommonName comes with a suffix 
>>> well-known. I don't know how to begin.....hints file, sites-enabled, 
>>> regular expressions....Freeradius virtual servers documentation 
>>> shows virtual server based on IP, access points, server pools, but 
>>> nothing about user credentials.....
>>> -
>>> List info/subscribe/unsubscribe? See 
>>> http://www.freeradius.org/list/users.html
>>>
>> mmmm.... Do you want authenticate people at different servers?.  Use 
>> a proxy.
>>
>>
>>              CLIENT ------------------> PROXY RADIUS 
>> ------------------> DNIe AUTH
>>                                                                         
>>   ------------------> MY CA AUTH
>>
>> ok?
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>>
>> __________ Información de NOD32, revisión 3257 (20080710) __________
>>
>> Este mensaje ha sido analizado con NOD32 antivirus system
>> http://www.nod32.com
>>
>>
>>
> mmmmm I see that I can authenticate users to different servers, based 
> on the domain of user-name, using radius as a proxy. But I have 
> "(AUTENTICACIÓN)" suffix for some users and "NOMBRE" prefix for the 
> others. I think this will make me spent some time.....
> Thanks Fernando
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
mmmm i don't understand... put a example :). what do you mean with 
"AUTENTICACION" and "NOMBRE"?

More information about the Freeradius-Users mailing list