Hi, using freeradius with EAP-TLS, the CommonName field of client certificate contains this: "pepe" If my file raddb/users constains this: "pepe123" Auth-Type := EAP Radius sends an Access-Acept and they shouldn't. Can anybody help me? Thanks a lot
Sergio Yébenes Moreno wrote:
using freeradius with EAP-TLS, the CommonName field of client certificate contains this: "pepe" If my file raddb/users constains this: "pepe123" Auth-Type := EAP Radius sends an Access-Acept and they shouldn't.
(1) EAP-TLS authenticates users based on client certificates. If you don't want a user to be authenticated, don't issue them a client certificate. Or, revoke their client certificate. (2) The configuration you posted disagrees with itself. Are you configuring something for "pepe", or "pepe123" ? (3) The configuration you posted does nothing other than request EAP authentication... which is already done for EAP-TLS. (4) Nothing in what you posted indicates that the server should reject anyone. i.e. You have NOT configured the server to reject any users. As a result, it does not reject anyone. Alan DeKok.
Alan DeKok escribió:
Sergio Yébenes Moreno wrote:
using freeradius with EAP-TLS, the CommonName field of client certificate contains this: "pepe" If my file raddb/users constains this: "pepe123" Auth-Type := EAP Radius sends an Access-Acept and they shouldn't.
(1) EAP-TLS authenticates users based on client certificates. If you don't want a user to be authenticated, don't issue them a client certificate. Or, revoke their client certificate.
(2) The configuration you posted disagrees with itself. Are you configuring something for "pepe", or "pepe123" ?
(3) The configuration you posted does nothing other than request EAP authentication... which is already done for EAP-TLS.
(4) Nothing in what you posted indicates that the server should reject anyone.
i.e. You have NOT configured the server to reject any users. As a result, it does not reject anyone.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks, it's really easy to understand. Do you know if freeradius can make ocsp request? jejeje In /freeradius-server-2.0.5/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c they mention ocsp protocol but in eap.conf there are nothing about this!! Thanks again
First line in eap.conf says: "Whatever you do, do NOT set 'Auth-Type := EAP'." Ivan Kalik Kalik Informatika ISP Dana 30/6/2008, "Sergio Yébenes Moreno" <sergioyebenes@alumnos.upm.es> piše:
Hi,
using freeradius with EAP-TLS, the CommonName field of client certificate contains this: "pepe" If my file raddb/users constains this: "pepe123" Auth-Type := EAP Radius sends an Access-Acept and they shouldn't. Can anybody help me?
Thanks a lot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Ivan Kalik -
Sergio Yébenes Moreno