Thank you for reply. I have to protect cert ddos attacks for OCSP server. I'll find another way. Thanks anyway! On 2016/04/22 22:14, Alan DeKok wrote:
On Apr 22, 2016, at 4:38 AM, Mitsuhiro Nakamura <mitsuhiro.nakamura@nabiq.co.jp> wrote:
Thank you for reply. I changed check-eap-tls before ocsp as bellow
Order in the configuration files doesn't matter.
Order *does* matter for "unlang", e.g. in authorize, authenticate, etc.
raddb/sites-enabled/check-eap-tls if ("%{TLS-Client-Cert-Common-Name}" =~ /^.*@domain\.com$/) { update config { &Auth-Type := Accept
You cannot do that.
For one, it's "update control", not "update config".
And you *cannot* just return "Accept" for EAP-TLS. The protocol is designed to make that impossible.
i.e. the configuration file lets you do that, but the client will detect that the protocol is wrong, and stop doing EAP-TLS... and not get on the network.
but in this case ocsp never execute if check-eap-tls success. any ideas?
If you bypass all of EAP-TLS by forcing Access-Accept, then yes... the EAP-TLS checks will not be run.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html