about "freeradius accepts anybody"

Sat Jul 12 15:43:09 CEST 2008

Ivan Kalik escribió:
>> "AUTENTICACIÓN" is a suffix of user-name, but only for those 
>> certificates that are subordinated to FNMT ca. "NOMBRE" is a prefix of 
>> user-name which have DNIe, subordinated to another ca. I want to 
>> configure two virtual servers  based on this details, if I can.
>>     
>
> OK. I had a look and found out that these are not really user
> certificates but electronic ID cards.
>
> Since you won't know which of the two authorities issued an ID card for
> your user (they probably could have both and use one today and another
> one tomorrow), you should duplicate your filtering user entries in users
> file: one with prefix, one with suffix.
>
> You should have several hunderd user entries in users file so doubling
> them will have very little impact on performance. But for every change
> to users file you will need to restart the server (AFAIK HUP-ing is
> still not recommended).
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> __________ Información de NOD32, revisión 3260 (20080710) __________
>
> Este mensaje ha sido analizado con NOD32 antivirus system
> http://www.nod32.com
>
>
>
>   
Yeah. I was thinking about users file, using virtual server. If  I've 
understood, it's like a "global variable". This is very simple and 
effective. At this moment I have two users with my two smartcard, for my 
own tests but without virtual servers. I'm just changing CA_file again 
and again but I'll look what Fernando says.....english makes me spend 
more time, but reducing......The most complicated thing that I've done 
with freeradius at this moment is tu put three intermediate authorities 
and root ca in the same CA_file, jejeje. Configure a basic freeradius is 
veri simple. Wpa_suppliucant with pkcs11 and DNIe have been more 
difficult for me. But this.....uf. Wikin'....

Thanks

P.D.: ocsp would be so good.....