Fernando escribió:
let me see... at this time... can all client with a valid certificate gain access to the network?
Sergio Yébenes Moreno wrote:
Fernando escribió:
I don't understand, what is your goal?
Sergio Yébenes Moreno wrote:
Using eap-tls we can make a "filter" to users, based on different attibutes (I think). In my case, the "identity" field in wpa_supplicant.conf.
Freeradius config:
file users contains this ..... ..... $INCLUDE autorizados DEFAULT Auth-Type := Reject Reply-Message = "out" ...... ......
file autorizados contains this "user1" Cleartext-Password := "" Reply-Message = "Autorizando....." Fall-Through = No "user2" ............ ...........
I had to make this because I'm not the signer of client certificates, only for server. I hope that somebody will help this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
To use eap-tls with client certs signed by a public CA. Public CA means that I can't do anything with this. But I don't want that everybody comes to my network. I know that my english isn't very clear, but I think it's very simple. Clients are in a public PKI. Servers are in my own PKI. Clients trust in my PKI, servers trust in this public PKI. But servers only authorize some users. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
No. Only if they are in "autorizados" file. I've checked it with wpa_supplicant, changing the "identity" field, but with the same certificate. The certificate are signed by a public CA. Its the DNIe in Spain. Probably you know it. Because of this, I should have a "filter" to users. This is my proyect at university. To use DNIe in my home network aren't in my objectives.