Question about windowsXP(Odessey Client) + EAP-TLS with freeRADIUS
Hi, I am using freeRADIUS 1.1.6. And I use EAP-TLS and with correct certs. Even if I set wrong username in Odessey Client, freeRADIUS will return success.(check_cert_cn not set). Can I let freeRADIUS to check if username in the users file or other database? If not, reject user. Thanks! John --------------------------------- 天生购物狂,狂抢购物券,你还等什么!
Don't use EAP-TLS. Use PEAP or EAP-TTLS. Ivan Kalik Kalik Informatika ISP Dana 12/12/2007, "Hangjun He" <elmerhe@yahoo.com.cn> piše:
Hi, I am using freeRADIUS 1.1.6. And I use EAP-TLS and with correct certs. Even if I set wrong username in Odessey Client, freeRADIUS will return success.(check_cert_cn not set). Can I let freeRADIUS to check if username in the users file or other database? If not, reject user. Thanks!
John
--------------------------------- ĚěÉúšşÎďżńŁŹżńÇŔšşÎďČŻŁŹÄăťšľČĘ˛Ă´ŁĄ
Hangjun He wrote:
And I use EAP-TLS and with correct certs. Even if I set wrong username in Odessey Client, freeRADIUS will return success.(check_cert_cn not set).
EAP-TLS authenticates users based on certificates. It ignores the user name.
Can I let freeRADIUS to check if username in the users file or other database? If not, reject user.
Yes. Configure that: bob Auth-Type := Reject Alan DeKok.
Hangjun He wrote:
And I use EAP-TLS and with correct certs. Even if I set wrong username in Odessey Client, freeRADIUS will return success.(check_cert_cn not set).
EAP-TLS authenticates users based on certificates. It ignores the user name.
i think, thats not completely correct. when you use eap-tls, the username in the radius-packet is the common name of your certificate. so you can check in the users file against the common name, and reject specific common names... if you set check_cert_cn to "yes", then the server will compare the common name of the certicate with the user-name in the radius packet (as i said, this is normally also the common name).
Can I let freeRADIUS to check if username in the users file or other database? If not, reject user.
Yes. Configure that:
bob Auth-Type := Reject
Alan DeKok.
Sebastian -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
Yes. It sounds good. Check common name in the certificate with databases(users or others). John s3b0@gmx.de 写道:
Hangjun He wrote:
And I use EAP-TLS and with correct certs. Even if I set wrong username in Odessey Client, freeRADIUS will return success.(check_cert_cn not set).
EAP-TLS authenticates users based on certificates. It ignores the user name.
i think, thats not completely correct. when you use eap-tls, the username in the radius-packet is the common name of your certificate. so you can check in the users file against the common name, and reject specific common names... if you set check_cert_cn to "yes", then the server will compare the common name of the certicate with the user-name in the radius packet (as i said, this is normally also the common name).
Can I let freeRADIUS to check if username in the users file or other database? If not, reject user.
Yes. Configure that:
bob Auth-Type := Reject
Alan DeKok.
Sebastian -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --------------------------------- 天生购物狂,狂抢购物券,你还等什么!
participants (4)
-
Alan DeKok -
Hangjun He -
s3b0@gmx.de -
tnt@kalik.co.yu