<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>
sorry, i ve got persistents problems :<br><br>- i filter client certificate under authenticate section (under eap) with : Auth-Type eap {<br> if ( "%{TLS-Client-Cert-Subject}" =~ /OU=xxxxx/ ) {<br> reject<br> }<br> }.<br>Firstly, it s' written on "default" file :<br> <i>Please do not put "unlang" configurations into the "authenticate"<br># section. Put them in the "post-auth" section instead. That's what<br># the post-auth section is for.</i><br>But, according to me , it's not right because i don't want to enter into post-auth. It must be rejected before.<br><br>secondly,<br><br>with this configuration, i try to authenticate a client with certificate OU=xxxxx. According to mode debug, it seemed to work. Client (windows XP) requested 21 times without sucess. But at 22nd, it seemed authenticate sucessful because i see client which is associated to AP. after times (5-10 minutes), Client seemed to be detached and entered in authenticating loop until succeed authenticating.<br><br>do you know why client success authenticating for a time ?<br>Is it possible to avoid request of certain client ?<br>I restrict authentication request to chooser NAS. I want to avoid clients to enter loop authentication. But these client can request authentication through NAS choosen.<br><br>Cheers.<br><br><br><br><div><div id="SkyDrivePlaceholder"></div><hr id="stopSpelling">From: zoumlander@hotmail.com<br>To: freeradius-users@lists.freeradius.org<br>Subject: RE: eap/tls questions with freeradius<br>Date: Fri, 23 Dec 2011 10:32:54 +0000<br><br>
<meta http-equiv="Content-Type" content="text/html; charset=unicode">
<meta name="Generator" content="Microsoft SafeHTML">
<style>
.ExternalClass .ecxhmmessage P
{padding:0px;}
.ExternalClass body.ecxhmmessage
{font-size:10pt;font-family:Tahoma;}
</style>
<div dir="ltr">
Thanks!!!<br><br><div><div id="ecxSkyDrivePlaceholder"></div>> Date: Fri, 23 Dec 2011 16:26:20 +0700<br>> Subject: Re: eap/tls questions with freeradius<br>> From: list@fajar.net<br>> To: freeradius-users@lists.freeradius.org<br>> <br>> On Fri, Dec 23, 2011 at 3:54 PM, vazoumana fofana<br>> <zoumlander@hotmail.com> wrote:<br>> ><br>> > Do you know where i can insert script to add new fonctions like described<br>> > in my previous email ?<br>> > When client sends its certificate , server checks before username or<br>> > certificate validity ?<br>> <br>> Try:<br>> - http://wiki.freeradius.org/Sites%20configuration<br>> - http://freeradius.org/radiusd/man/unlang.html<br>> - http://wiki.freeradius.org/Rlm_perl<br>> <br>> Use unlang and attributes (such as TLS-Client-Cert-Common-Name) to do<br>> whatever filtering you want. If you need complex processing, you might<br>> have to use rlm_perl as well.<br>> <br>> -- <br>> Fajar<br>> <br>> -<br>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<br></div> </div></div> </div></body>
</html>