Hello, I'm using FreeRADIUS-1.0.5 on Windows XP and Windows XP client. And I'm attempting PEAP authentication. I was using the certificate published by OpenSSL, I revoked this certificate. (Herewith, this certificate's information was written on CRL.) And I attempted PEAP authentication by this revoked certificate, but authentication result was "Access-Accept". Is my setup amusing? Please give me advice by all means. A eap.conf is shown below. // eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { #challenge = "Password: " auth_type = PAP } tls { private_key_password = bbbb private_key_file = ${raddbdir}/newcerts/serverkey.pem certificate_file = ${raddbdir}/newcerts/servercert.pem CA_file = ${raddbdir}/newcerts/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random # fragment_size = 1024 # include_length = yes CA_path = ${raddbdir}/newcerts/ check_crl = yes check_cert_cn = %{User-Name} } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = no } mschapv2 { } } -- Kouji Amemiya <amemiya@allied-telesis.co.jp>
On 12/16/05, Kouji Amemiya <amemiya@allied-telesis.co.jp> wrote:
I was using the certificate published by OpenSSL, I revoked this certificate. (Herewith, this certificate's information was written on CRL.)
And I attempted PEAP authentication by this revoked certificate, but authentication result was "Access-Accept".
For peap you don't use a certificate on the client (better: supplicant) side, so it is not checked. What you seem to have revoked is the certficate the server presents to the supplicant, which has no part in deciding to authorize/authenticate the user. Why the supplicant doesn't refuse the supposedly revoked server certificate would be interesting (you could look into your setup, if the supplicant did check for the latest CRL of the certicate's issuer), but is unresponsive to your original question. Regards, Klaus Hörcher
Hi Klaus,
For peap you don't use a certificate on the client (better: supplicant) side, so it is not checked. What you seem to have revoked is the certficate the server presents to the supplicant, which has no part in deciding to authorize/authenticate the user.
It is as surely your telling. I did not understand PEAP's specification, but I know it. Thank you for your answering! Best Regards, Kouji Amemiya On Fri, 16 Dec 2005 12:39:42 +0100 wbh <wbhoer@gmail.com> wrote:
On 12/16/05, Kouji Amemiya <amemiya@allied-telesis.co.jp> wrote:
I was using the certificate published by OpenSSL, I revoked this certificate. (Herewith, this certificate's information was written on CRL.)
And I attempted PEAP authentication by this revoked certificate, but authentication result was "Access-Accept".
For peap you don't use a certificate on the client (better: supplicant) side, so it is not checked. What you seem to have revoked is the certficate the server presents to the supplicant, which has no part in deciding to authorize/authenticate the user.
Why the supplicant doesn't refuse the supposedly revoked server certificate would be interesting (you could look into your setup, if the supplicant did check for the latest CRL of the certicate's issuer), but is unresponsive to your original question.
Regards, Klaus Hvrcher
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Kouji Amemiya -
wbh