about "freeradius accepts anybody"

Fernando fbernal at um.es
Fri Jul 11 13:38:31 CEST 2008 

Sergio wrote:
> Fernando escribió:
>> Sergio wrote:
>>> Fernando escribió:
>>>> Sergio Yébenes Moreno wrote:
>>>>> Ivan Kalik escribió:
>>>>>>> Ok. DNIe gives PUBLIC access control, to a public network 
>>>>>>> (university, madrid Wifi (jeje, gallardón va de rey alcalde) 
>>>>>>> etc), Dinamic keys, and all in 802.1x and, in consequence, 
>>>>>>> 802.11i. But probably we don't want everybody in this 
>>>>>>> network.Surely we hadn't spend money and time issuing 
>>>>>>> certificates to clients. Because of this, we have "autorizados" 
>>>>>>> file. Then, we only should issue certificates to radius. Clients 
>>>>>>> trust in my CA, and radius trust in "ministerio del interior" 
>>>>>>> jejeje, that sings certificates for everybody in Spain.
>>>>>>>     
>>>>>>
>>>>>> I can see where you are heading with this. You want to use
>>>>>> usernames/passwords *and* check client certificates. Freeradius 
>>>>>> doesn't
>>>>>> support this. That is called PEAP-EAP-TLS and is supported in
>>>>>> Microsoft-only networks.
>>>>>>
>>>>>> Ivan Kalik
>>>>>> Kalik Informatika ISP
>>>>>>
>>>>>> -
>>>>>> List info/subscribe/unsubscribe? See 
>>>>>> http://www.freeradius.org/list/users.html
>>>>>>
>>>>>>
>>>>>> __________ Información de NOD32, revisión 3257 (20080710) __________
>>>>>>
>>>>>> Este mensaje ha sido analizado con NOD32 antivirus system
>>>>>> http://www.nod32.com
>>>>>>
>>>>>>
>>>>>>
>>>>>>   
>>>>> I don't want to use passwords. Only want to use what at this time 
>>>>> is working: public domain eap-tls, but only students of an 
>>>>> university, for example. Probably there are better methods to do 
>>>>> this, but this works. I promise..... "identity" field in 
>>>>> wpa_supplicant and cert's "commonName" in winXP clients.
>>>>> Now  I want to put 3 virtual server, one for DNIe and one for 
>>>>> another public CA (FNMT) that have less range than DNIe. I'd like 
>>>>> to ask you, if you know. "authorize" section supports unlang and 
>>>>> we can use User-Name, for example, to authenticate in any virtual 
>>>>> server. I suspect that I can't do this based on signer of client 
>>>>> certificate. The point is that common name in certificates signed 
>>>>> by FNMT comes with a prefix well-known, and DNIe CommonName comes 
>>>>> with a suffix well-known. I don't know how to begin.....hints 
>>>>> file, sites-enabled, regular expressions....Freeradius virtual 
>>>>> servers documentation shows virtual server based on IP, access 
>>>>> points, server pools, but nothing about user credentials.....
>>>>> -
>>>>> List info/subscribe/unsubscribe? See 
>>>>> http://www.freeradius.org/list/users.html
>>>>>
>>>> mmmm.... Do you want authenticate people at different servers?.  
>>>> Use a proxy.
>>>>
>>>>
>>>>              CLIENT ------------------> PROXY RADIUS 
>>>> ------------------> DNIe AUTH
>>>>                                                                         
>>>>   ------------------> MY CA AUTH
>>>>
>>>> ok?
>>>> -
>>>> List info/subscribe/unsubscribe? See 
>>>> http://www.freeradius.org/list/users.html
>>>>
>>>>
>>>> __________ Información de NOD32, revisión 3257 (20080710) __________
>>>>
>>>> Este mensaje ha sido analizado con NOD32 antivirus system
>>>> http://www.nod32.com
>>>>
>>>>
>>>>
>>> mmmmm I see that I can authenticate users to different servers, 
>>> based on the domain of user-name, using radius as a proxy. But I 
>>> have "(AUTENTICACIÓN)" suffix for some users and "NOMBRE" prefix for 
>>> the others. I think this will make me spent some time.....
>>> Thanks Fernando
>>> -
>>> List info/subscribe/unsubscribe? See 
>>> http://www.freeradius.org/list/users.html
>>>
>> mmmm i don't understand... put a example :). what do you mean with 
>> "AUTENTICACION" and "NOMBRE"?
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>>
>> __________ Información de NOD32, revisión 3260 (20080710) __________
>>
>> Este mensaje ha sido analizado con NOD32 antivirus system
>> http://www.nod32.com
>>
>>
>>
> "AUTENTICACIÓN" is a suffix of user-name, but only for those 
> certificates that are subordinated to FNMT ca. "NOMBRE" is a prefix of 
> user-name which have DNIe, subordinated to another ca. I want to 
> configure two virtual servers  based on this details, if I can.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
see section suffix in radiusd.conf  it could help you.

More information about the Freeradius-Users mailing list