Hi Klaus,
For peap you don't use a certificate on the client (better: supplicant) side, so it is not checked. What you seem to have revoked is the certficate the server presents to the supplicant, which has no part in deciding to authorize/authenticate the user.
It is as surely your telling. I did not understand PEAP's specification, but I know it. Thank you for your answering! Best Regards, Kouji Amemiya On Fri, 16 Dec 2005 12:39:42 +0100 wbh <wbhoer@gmail.com> wrote:
On 12/16/05, Kouji Amemiya <amemiya@allied-telesis.co.jp> wrote:
I was using the certificate published by OpenSSL, I revoked this certificate. (Herewith, this certificate's information was written on CRL.)
And I attempted PEAP authentication by this revoked certificate, but authentication result was "Access-Accept".
For peap you don't use a certificate on the client (better: supplicant) side, so it is not checked. What you seem to have revoked is the certficate the server presents to the supplicant, which has no part in deciding to authorize/authenticate the user.
Why the supplicant doesn't refuse the supposedly revoked server certificate would be interesting (you could look into your setup, if the supplicant did check for the latest CRL of the certicate's issuer), but is unresponsive to your original question.
Regards, Klaus Hvrcher
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html