about "freeradius accepts anybody"
Using eap-tls we can make a "filter" to users, based on different attibutes (I think). In my case, the "identity" field in wpa_supplicant.conf. Freeradius config: file users contains this ..... ..... $INCLUDE autorizados DEFAULT Auth-Type := Reject Reply-Message = "out" ...... ...... file autorizados contains this "user1" Cleartext-Password := "" Reply-Message = "Autorizando....." Fall-Through = No "user2" ............ ........... I had to make this because I'm not the signer of client certificates, only for server. I hope that somebody will help this.
file autorizados contains this "user1" Cleartext-Password := "" Reply-Message = "Autorizando....." Fall-Through = No
That's not going to work. You can't make EAP-TLS use passwords.
I had to make this because I'm not the signer of client certificates, only for server.
What are people with certificates that you haven't issued doing on your network? If you are accepting users from another organization, proxy requests to their home server. But if you are to maintain control over who gets access to your network you should tell people to use PEAP and give them usernames/passwords that you will store in autorizados file. Ivan Kalik Kalik Informatika ISP
Ivan Kalik escribió:
file autorizados contains this "user1" Cleartext-Password := "" Reply-Message = "Autorizando....." Fall-Through = No
That's not going to work. You can't make EAP-TLS use passwords.
That's work
I had to make this because I'm not the signer of client certificates, only for server.
What are people with certificates that you haven't issued doing on your network? If you are accepting users from another organization, proxy requests to their home server. But if you are to maintain control over who gets access to your network you should tell people to use PEAP and give them usernames/passwords that you will store in autorizados file.
I have to use eap-tls. It's very simple. I have a CA to sign server cert and a public CA in Spain signs clients cert. Welcome to PKI
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
I don't understand, what is your goal? Sergio Yébenes Moreno wrote:
Using eap-tls we can make a "filter" to users, based on different attibutes (I think). In my case, the "identity" field in wpa_supplicant.conf.
Freeradius config:
file users contains this ..... ..... $INCLUDE autorizados DEFAULT Auth-Type := Reject Reply-Message = "out" ...... ......
file autorizados contains this "user1" Cleartext-Password := "" Reply-Message = "Autorizando....." Fall-Through = No "user2" ............ ...........
I had to make this because I'm not the signer of client certificates, only for server. I hope that somebody will help this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fernando escribió:
I don't understand, what is your goal?
Sergio Yébenes Moreno wrote:
Using eap-tls we can make a "filter" to users, based on different attibutes (I think). In my case, the "identity" field in wpa_supplicant.conf.
Freeradius config:
file users contains this ..... ..... $INCLUDE autorizados DEFAULT Auth-Type := Reject Reply-Message = "out" ...... ......
file autorizados contains this "user1" Cleartext-Password := "" Reply-Message = "Autorizando....." Fall-Through = No "user2" ............ ...........
I had to make this because I'm not the signer of client certificates, only for server. I hope that somebody will help this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
To use eap-tls with client certs signed by a public CA. Public CA means that I can't do anything with this. But I don't want that everybody comes to my network. I know that my english isn't very clear, but I think it's very simple. Clients are in a public PKI. Servers are in my own PKI. Clients trust in my PKI, servers trust in this public PKI. But servers only authorize some users.
let me see... at this time... can all client with a valid certificate gain access to the network? Sergio Yébenes Moreno wrote:
Fernando escribió:
I don't understand, what is your goal?
Sergio Yébenes Moreno wrote:
Using eap-tls we can make a "filter" to users, based on different attibutes (I think). In my case, the "identity" field in wpa_supplicant.conf.
Freeradius config:
file users contains this ..... ..... $INCLUDE autorizados DEFAULT Auth-Type := Reject Reply-Message = "out" ...... ......
file autorizados contains this "user1" Cleartext-Password := "" Reply-Message = "Autorizando....." Fall-Through = No "user2" ............ ...........
I had to make this because I'm not the signer of client certificates, only for server. I hope that somebody will help this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
To use eap-tls with client certs signed by a public CA. Public CA means that I can't do anything with this. But I don't want that everybody comes to my network. I know that my english isn't very clear, but I think it's very simple. Clients are in a public PKI. Servers are in my own PKI. Clients trust in my PKI, servers trust in this public PKI. But servers only authorize some users. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fernando escribió:
let me see... at this time... can all client with a valid certificate gain access to the network?
Sergio Yébenes Moreno wrote:
Fernando escribió:
I don't understand, what is your goal?
Sergio Yébenes Moreno wrote:
Using eap-tls we can make a "filter" to users, based on different attibutes (I think). In my case, the "identity" field in wpa_supplicant.conf.
Freeradius config:
file users contains this ..... ..... $INCLUDE autorizados DEFAULT Auth-Type := Reject Reply-Message = "out" ...... ......
file autorizados contains this "user1" Cleartext-Password := "" Reply-Message = "Autorizando....." Fall-Through = No "user2" ............ ...........
I had to make this because I'm not the signer of client certificates, only for server. I hope that somebody will help this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
To use eap-tls with client certs signed by a public CA. Public CA means that I can't do anything with this. But I don't want that everybody comes to my network. I know that my english isn't very clear, but I think it's very simple. Clients are in a public PKI. Servers are in my own PKI. Clients trust in my PKI, servers trust in this public PKI. But servers only authorize some users. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
No. Only if they are in "autorizados" file. I've checked it with wpa_supplicant, changing the "identity" field, but with the same certificate. The certificate are signed by a public CA. Its the DNIe in Spain. Probably you know it. Because of this, I should have a "filter" to users. This is my proyect at university. To use DNIe in my home network aren't in my objectives.
Sergio Yébenes Moreno wrote:
Fernando escribió:
let me see... at this time... can all client with a valid certificate gain access to the network?
Sergio Yébenes Moreno wrote:
Fernando escribió:
I don't understand, what is your goal?
Sergio Yébenes Moreno wrote:
Using eap-tls we can make a "filter" to users, based on different attibutes (I think). In my case, the "identity" field in wpa_supplicant.conf.
Freeradius config:
file users contains this ..... ..... $INCLUDE autorizados DEFAULT Auth-Type := Reject Reply-Message = "out" ...... ......
file autorizados contains this "user1" Cleartext-Password := "" Reply-Message = "Autorizando....." Fall-Through = No "user2" ............ ...........
I had to make this because I'm not the signer of client certificates, only for server. I hope that somebody will help this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
To use eap-tls with client certs signed by a public CA. Public CA means that I can't do anything with this. But I don't want that everybody comes to my network. I know that my english isn't very clear, but I think it's very simple. Clients are in a public PKI. Servers are in my own PKI. Clients trust in my PKI, servers trust in this public PKI. But servers only authorize some users. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
No. Only if they are in "autorizados" file. I've checked it with wpa_supplicant, changing the "identity" field, but with the same certificate. The certificate are signed by a public CA. Its the DNIe in Spain. Probably you know it. Because of this, I should have a "filter" to users. This is my proyect at university. To use DNIe in my home network aren't in my objectives. - anyone that has a DNIe can access to your home network. I mean that you must have two phases first user authentication with DNIe and other a process of authorization. You do the authorization process with the file "autorizados". So, what is the problem?
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fernando escribió:
Sergio Yébenes Moreno wrote:
Fernando escribió:
let me see... at this time... can all client with a valid certificate gain access to the network?
Sergio Yébenes Moreno wrote:
Fernando escribió:
I don't understand, what is your goal?
Sergio Yébenes Moreno wrote:
Using eap-tls we can make a "filter" to users, based on different attibutes (I think). In my case, the "identity" field in wpa_supplicant.conf.
Freeradius config:
file users contains this ..... ..... $INCLUDE autorizados DEFAULT Auth-Type := Reject Reply-Message = "out" ...... ......
file autorizados contains this "user1" Cleartext-Password := "" Reply-Message = "Autorizando....." Fall-Through = No "user2" ............ ...........
I had to make this because I'm not the signer of client certificates, only for server. I hope that somebody will help this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
To use eap-tls with client certs signed by a public CA. Public CA means that I can't do anything with this. But I don't want that everybody comes to my network. I know that my english isn't very clear, but I think it's very simple. Clients are in a public PKI. Servers are in my own PKI. Clients trust in my PKI, servers trust in this public PKI. But servers only authorize some users. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
No. Only if they are in "autorizados" file. I've checked it with wpa_supplicant, changing the "identity" field, but with the same certificate. The certificate are signed by a public CA. Its the DNIe in Spain. Probably you know it. Because of this, I should have a "filter" to users. This is my proyect at university. To use DNIe in my home network aren't in my objectives. - anyone that has a DNIe can access to your home network. I mean that you must have two phases first user authentication with DNIe and other a process of authorization. You do the authorization process with the file "autorizados". So, what is the problem?
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
first, freeradius looks in users file, and only if client is authorized, checks DNIe. There aren't any problem, only want to show, maybe help somebody, and to show Ivan Kalik how clients and servers can trust in different ca's. Thanks for reading me
Fernando escribió:
let me see... at this time... can all client with a valid certificate gain access to the network?
Sergio Yébenes Moreno wrote:
Fernando escribió:
I don't understand, what is your goal?
Sergio Yébenes Moreno wrote:
Using eap-tls we can make a "filter" to users, based on different attibutes (I think). In my case, the "identity" field in wpa_supplicant.conf.
Freeradius config:
file users contains this ..... ..... $INCLUDE autorizados DEFAULT Auth-Type := Reject Reply-Message = "out" ...... ......
file autorizados contains this "user1" Cleartext-Password := "" Reply-Message = "Autorizando....." Fall-Through = No "user2" ............ ...........
I had to make this because I'm not the signer of client certificates, only for server. I hope that somebody will help this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
To use eap-tls with client certs signed by a public CA. Public CA means that I can't do anything with this. But I don't want that everybody comes to my network. I know that my english isn't very clear, but I think it's very simple. Clients are in a public PKI. Servers are in my own PKI. Clients trust in my PKI, servers trust in this public PKI. But servers only authorize some users. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
Ok. DNIe gives PUBLIC access control, to a public network (university, madrid Wifi (jeje, gallardón va de rey alcalde) etc), Dinamic keys, and all in 802.1x and, in consequence, 802.11i. But probably we don't want everybody in this network.Surely we hadn't spend money and time issuing certificates to clients. Because of this, we have "autorizados" file. Then, we only should issue certificates to radius. Clients trust in my CA, and radius trust in "ministerio del interior" jejeje, that sings certificates for everybody in Spain.
Ok. DNIe gives PUBLIC access control, to a public network (university, madrid Wifi (jeje, gallardón va de rey alcalde) etc), Dinamic keys, and all in 802.1x and, in consequence, 802.11i. But probably we don't want everybody in this network.Surely we hadn't spend money and time issuing certificates to clients. Because of this, we have "autorizados" file. Then, we only should issue certificates to radius. Clients trust in my CA, and radius trust in "ministerio del interior" jejeje, that sings certificates for everybody in Spain.
I can see where you are heading with this. You want to use usernames/passwords *and* check client certificates. Freeradius doesn't support this. That is called PEAP-EAP-TLS and is supported in Microsoft-only networks. Ivan Kalik Kalik Informatika ISP
Ivan Kalik escribió:
Ok. DNIe gives PUBLIC access control, to a public network (university, madrid Wifi (jeje, gallardón va de rey alcalde) etc), Dinamic keys, and all in 802.1x and, in consequence, 802.11i. But probably we don't want everybody in this network.Surely we hadn't spend money and time issuing certificates to clients. Because of this, we have "autorizados" file. Then, we only should issue certificates to radius. Clients trust in my CA, and radius trust in "ministerio del interior" jejeje, that sings certificates for everybody in Spain.
I can see where you are heading with this. You want to use usernames/passwords *and* check client certificates. Freeradius doesn't support this. That is called PEAP-EAP-TLS and is supported in Microsoft-only networks.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
I don't want to use passwords. Only want to use what at this time is working: public domain eap-tls, but only students of an university, for example. Probably there are better methods to do this, but this works. I promise..... "identity" field in wpa_supplicant and cert's "commonName" in winXP clients. Now I want to put 3 virtual server, one for DNIe and one for another public CA (FNMT) that have less range than DNIe. I'd like to ask you, if you know. "authorize" section supports unlang and we can use User-Name, for example, to authenticate in any virtual server. I suspect that I can't do this based on signer of client certificate. The point is that common name in certificates signed by FNMT comes with a prefix well-known, and DNIe CommonName comes with a suffix well-known. I don't know how to begin.....hints file, sites-enabled, regular expressions....Freeradius virtual servers documentation shows virtual server based on IP, access points, server pools, but nothing about user credentials.....
Sergio Yébenes Moreno wrote:
I don't want to use passwords.
Then why did the configurations you posted use passwords?
Now I want to put 3 virtual server, one for DNIe and one for another public CA (FNMT) that have less range than DNIe. I'd like to ask you, if you know. "authorize" section supports unlang and we can use User-Name, for example, to authenticate in any virtual server. I suspect that I can't do this based on signer of client certificate. The point is that common name in certificates signed by FNMT comes with a prefix well-known, and DNIe CommonName comes with a suffix well-known. I don't know how to begin.....hints file, sites-enabled, regular expressions....Freeradius virtual servers documentation shows virtual server based on IP, access points, server pools, but nothing about user credentials.....
Because it's not supported. If it was supported, it would have been documented. Alan DeKok.
Alan DeKok escribió:
Sergio Yébenes Moreno wrote:
I don't want to use passwords.
Then why did the configurations you posted use passwords?
Now I want to put 3 virtual server, one for DNIe and one for another public CA (FNMT) that have less range than DNIe. I'd like to ask you, if you know. "authorize" section supports unlang and we can use User-Name, for example, to authenticate in any virtual server. I suspect that I can't do this based on signer of client certificate. The point is that common name in certificates signed by FNMT comes with a prefix well-known, and DNIe CommonName comes with a suffix well-known. I don't know how to begin.....hints file, sites-enabled, regular expressions....Freeradius virtual servers documentation shows virtual server based on IP, access points, server pools, but nothing about user credentials.....
Because it's not supported. If it was supported, it would have been documented.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
If I don't put Cleartext-Password := "" field (""!!!), the user always be rejected. Can anybody to explain this? I haven't tried with some password, because results me ridiculous, I haven't configure any password for clients...
If I don't put Cleartext-Password := "" field (""!!!), the user always be rejected. Can anybody to explain this? I haven't tried with some password, because results me ridiculous, I haven't configure any password for clients...
Let's put that to the test. Put the username that you want to test on the very first line of users file. Just username, nothing else as check or reply and a blank row after. And post the debug of that user being rejected. You are saying that you have to have some kind of password or something else configured for the user. I'm telling you that you don't: just usernames separated by blank rows. Totally trivial entries that only prevent users file being read down to the Auth-Type Reject line. Ivan Kalik Kalik Informatika ISP
Ivan Kalik escribió:
If I don't put Cleartext-Password := "" field (""!!!), the user always be rejected. Can anybody to explain this? I haven't tried with some password, because results me ridiculous, I haven't configure any password for clients...
Let's put that to the test. Put the username that you want to test on the very first line of users file. Just username, nothing else as check or reply and a blank row after. And post the debug of that user being rejected.
You are saying that you have to have some kind of password or something else configured for the user. I'm telling you that you don't: just usernames separated by blank rows. Totally trivial entries that only prevent users file being read down to the Auth-Type Reject line.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
The situation that you exposed logically works. But I can't authorize all users in spite of having a valid certificate, because the public PKI..... Then, users file: ...... "user1" ........ "user2" ........ DEFAULT Auth-Type := Reject ........ works, but if I put "userX" into another file and make an include, don't. In this situation, If I append an empty cleartext-password, works, with fall-through = no (I haven't tried with fall-through = yes because isn't logic) On the other side, I put Fall-Through attribute to tell radius that should stop when a user matches users file, but looks isn't necessary. I'm confused....
The situation that you exposed logically works. But I can't authorize all users in spite of having a valid certificate, because the public PKI.....
.. what? You can authenticate some users (which) - what's the problem with the others?
Then, users file: ....... "user1" ......... "user2" ......... DEFAULT Auth-Type := Reject .........
works, but if I put "userX" into another file and make an include, don't. In this situation, If I append an empty cleartext-password, works, with fall-through = no
That sounds like a parser issue. But there is no real need to use another file.
On the other side, I put Fall-Through attribute to tell radius that should stop when a user matches users file, but looks isn't necessary.
Yes. users file will not be read any furter unless the matched entry contains Fall-Through = Yes. You could say that Fall-Through = No is assumed.
Ivan Kalik escribió:
The situation that you exposed logically works. But I can't authorize all users in spite of having a valid certificate, because the public PKI.....
.. what? You can authenticate some users (which) - what's the problem with the others?
Any problem now
Then, users file: ....... "user1" ......... "user2" ......... DEFAULT Auth-Type := Reject .........
works, but if I put "userX" into another file and make an include, don't. In this situation, If I append an empty cleartext-password, works, with fall-through = no
That sounds like a parser issue. But there is no real need to use another file.
It's true, no real need.
On the other side, I put Fall-Through attribute to tell radius that should stop when a user matches users file, but looks isn't necessary.
Yes. users file will not be read any furter unless the matched entry contains Fall-Through = Yes. You could say that Fall-Through = No is assumed.
I've understood. Thanks
Sergio Yébenes Moreno wrote:
Ivan Kalik escribió:
Ok. DNIe gives PUBLIC access control, to a public network (university, madrid Wifi (jeje, gallardón va de rey alcalde) etc), Dinamic keys, and all in 802.1x and, in consequence, 802.11i. But probably we don't want everybody in this network.Surely we hadn't spend money and time issuing certificates to clients. Because of this, we have "autorizados" file. Then, we only should issue certificates to radius. Clients trust in my CA, and radius trust in "ministerio del interior" jejeje, that sings certificates for everybody in Spain.
I can see where you are heading with this. You want to use usernames/passwords *and* check client certificates. Freeradius doesn't support this. That is called PEAP-EAP-TLS and is supported in Microsoft-only networks.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
I don't want to use passwords. Only want to use what at this time is working: public domain eap-tls, but only students of an university, for example. Probably there are better methods to do this, but this works. I promise..... "identity" field in wpa_supplicant and cert's "commonName" in winXP clients. Now I want to put 3 virtual server, one for DNIe and one for another public CA (FNMT) that have less range than DNIe. I'd like to ask you, if you know. "authorize" section supports unlang and we can use User-Name, for example, to authenticate in any virtual server. I suspect that I can't do this based on signer of client certificate. The point is that common name in certificates signed by FNMT comes with a prefix well-known, and DNIe CommonName comes with a suffix well-known. I don't know how to begin.....hints file, sites-enabled, regular expressions....Freeradius virtual servers documentation shows virtual server based on IP, access points, server pools, but nothing about user credentials..... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mmmm.... Do you want authenticate people at different servers?. Use a proxy. CLIENT ------------------> PROXY RADIUS ------------------> DNIe AUTH ------------------> MY CA AUTH ok?
Fernando escribió:
Sergio Yébenes Moreno wrote:
Ivan Kalik escribió:
Ok. DNIe gives PUBLIC access control, to a public network (university, madrid Wifi (jeje, gallardón va de rey alcalde) etc), Dinamic keys, and all in 802.1x and, in consequence, 802.11i. But probably we don't want everybody in this network.Surely we hadn't spend money and time issuing certificates to clients. Because of this, we have "autorizados" file. Then, we only should issue certificates to radius. Clients trust in my CA, and radius trust in "ministerio del interior" jejeje, that sings certificates for everybody in Spain.
I can see where you are heading with this. You want to use usernames/passwords *and* check client certificates. Freeradius doesn't support this. That is called PEAP-EAP-TLS and is supported in Microsoft-only networks.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
I don't want to use passwords. Only want to use what at this time is working: public domain eap-tls, but only students of an university, for example. Probably there are better methods to do this, but this works. I promise..... "identity" field in wpa_supplicant and cert's "commonName" in winXP clients. Now I want to put 3 virtual server, one for DNIe and one for another public CA (FNMT) that have less range than DNIe. I'd like to ask you, if you know. "authorize" section supports unlang and we can use User-Name, for example, to authenticate in any virtual server. I suspect that I can't do this based on signer of client certificate. The point is that common name in certificates signed by FNMT comes with a prefix well-known, and DNIe CommonName comes with a suffix well-known. I don't know how to begin.....hints file, sites-enabled, regular expressions....Freeradius virtual servers documentation shows virtual server based on IP, access points, server pools, but nothing about user credentials..... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mmmm.... Do you want authenticate people at different servers?. Use a proxy.
CLIENT ------------------> PROXY RADIUS ------------------> DNIe AUTH
------------------> MY CA AUTH
ok? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
proxy radius is a good idea specially if the network is big. I think but also think that I can do this with hints file and virtual servers, although I don't understand it yet. If I achieve this surely try what you say. I have 3 or 4 months to do this
Fernando escribió:
Sergio Yébenes Moreno wrote:
Ivan Kalik escribió:
Ok. DNIe gives PUBLIC access control, to a public network (university, madrid Wifi (jeje, gallardón va de rey alcalde) etc), Dinamic keys, and all in 802.1x and, in consequence, 802.11i. But probably we don't want everybody in this network.Surely we hadn't spend money and time issuing certificates to clients. Because of this, we have "autorizados" file. Then, we only should issue certificates to radius. Clients trust in my CA, and radius trust in "ministerio del interior" jejeje, that sings certificates for everybody in Spain.
I can see where you are heading with this. You want to use usernames/passwords *and* check client certificates. Freeradius doesn't support this. That is called PEAP-EAP-TLS and is supported in Microsoft-only networks.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
I don't want to use passwords. Only want to use what at this time is working: public domain eap-tls, but only students of an university, for example. Probably there are better methods to do this, but this works. I promise..... "identity" field in wpa_supplicant and cert's "commonName" in winXP clients. Now I want to put 3 virtual server, one for DNIe and one for another public CA (FNMT) that have less range than DNIe. I'd like to ask you, if you know. "authorize" section supports unlang and we can use User-Name, for example, to authenticate in any virtual server. I suspect that I can't do this based on signer of client certificate. The point is that common name in certificates signed by FNMT comes with a prefix well-known, and DNIe CommonName comes with a suffix well-known. I don't know how to begin.....hints file, sites-enabled, regular expressions....Freeradius virtual servers documentation shows virtual server based on IP, access points, server pools, but nothing about user credentials..... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mmmm.... Do you want authenticate people at different servers?. Use a proxy.
CLIENT ------------------> PROXY RADIUS ------------------> DNIe AUTH
------------------> MY CA AUTH
ok? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
mmmmm I see that I can authenticate users to different servers, based on the domain of user-name, using radius as a proxy. But I have "(AUTENTICACIÓN)" suffix for some users and "NOMBRE" prefix for the others. I think this will make me spent some time..... Thanks Fernando
Sergio wrote:
Fernando escribió:
Sergio Yébenes Moreno wrote:
Ivan Kalik escribió:
Ok. DNIe gives PUBLIC access control, to a public network (university, madrid Wifi (jeje, gallardón va de rey alcalde) etc), Dinamic keys, and all in 802.1x and, in consequence, 802.11i. But probably we don't want everybody in this network.Surely we hadn't spend money and time issuing certificates to clients. Because of this, we have "autorizados" file. Then, we only should issue certificates to radius. Clients trust in my CA, and radius trust in "ministerio del interior" jejeje, that sings certificates for everybody in Spain.
I can see where you are heading with this. You want to use usernames/passwords *and* check client certificates. Freeradius doesn't support this. That is called PEAP-EAP-TLS and is supported in Microsoft-only networks.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
I don't want to use passwords. Only want to use what at this time is working: public domain eap-tls, but only students of an university, for example. Probably there are better methods to do this, but this works. I promise..... "identity" field in wpa_supplicant and cert's "commonName" in winXP clients. Now I want to put 3 virtual server, one for DNIe and one for another public CA (FNMT) that have less range than DNIe. I'd like to ask you, if you know. "authorize" section supports unlang and we can use User-Name, for example, to authenticate in any virtual server. I suspect that I can't do this based on signer of client certificate. The point is that common name in certificates signed by FNMT comes with a prefix well-known, and DNIe CommonName comes with a suffix well-known. I don't know how to begin.....hints file, sites-enabled, regular expressions....Freeradius virtual servers documentation shows virtual server based on IP, access points, server pools, but nothing about user credentials..... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mmmm.... Do you want authenticate people at different servers?. Use a proxy.
CLIENT ------------------> PROXY RADIUS ------------------> DNIe AUTH
------------------> MY CA AUTH
ok? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
mmmmm I see that I can authenticate users to different servers, based on the domain of user-name, using radius as a proxy. But I have "(AUTENTICACIÓN)" suffix for some users and "NOMBRE" prefix for the others. I think this will make me spent some time..... Thanks Fernando - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mmmm i don't understand... put a example :). what do you mean with "AUTENTICACION" and "NOMBRE"?
Fernando escribió:
Sergio wrote:
Fernando escribió:
Sergio Yébenes Moreno wrote:
Ivan Kalik escribió:
Ok. DNIe gives PUBLIC access control, to a public network (university, madrid Wifi (jeje, gallardón va de rey alcalde) etc), Dinamic keys, and all in 802.1x and, in consequence, 802.11i. But probably we don't want everybody in this network.Surely we hadn't spend money and time issuing certificates to clients. Because of this, we have "autorizados" file. Then, we only should issue certificates to radius. Clients trust in my CA, and radius trust in "ministerio del interior" jejeje, that sings certificates for everybody in Spain.
I can see where you are heading with this. You want to use usernames/passwords *and* check client certificates. Freeradius doesn't support this. That is called PEAP-EAP-TLS and is supported in Microsoft-only networks.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
I don't want to use passwords. Only want to use what at this time is working: public domain eap-tls, but only students of an university, for example. Probably there are better methods to do this, but this works. I promise..... "identity" field in wpa_supplicant and cert's "commonName" in winXP clients. Now I want to put 3 virtual server, one for DNIe and one for another public CA (FNMT) that have less range than DNIe. I'd like to ask you, if you know. "authorize" section supports unlang and we can use User-Name, for example, to authenticate in any virtual server. I suspect that I can't do this based on signer of client certificate. The point is that common name in certificates signed by FNMT comes with a prefix well-known, and DNIe CommonName comes with a suffix well-known. I don't know how to begin.....hints file, sites-enabled, regular expressions....Freeradius virtual servers documentation shows virtual server based on IP, access points, server pools, but nothing about user credentials..... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mmmm.... Do you want authenticate people at different servers?. Use a proxy.
CLIENT ------------------> PROXY RADIUS ------------------> DNIe AUTH
------------------> MY CA AUTH
ok? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
mmmmm I see that I can authenticate users to different servers, based on the domain of user-name, using radius as a proxy. But I have "(AUTENTICACIÓN)" suffix for some users and "NOMBRE" prefix for the others. I think this will make me spent some time..... Thanks Fernando - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mmmm i don't understand... put a example :). what do you mean with "AUTENTICACION" and "NOMBRE"? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3260 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
"AUTENTICACIÓN" is a suffix of user-name, but only for those certificates that are subordinated to FNMT ca. "NOMBRE" is a prefix of user-name which have DNIe, subordinated to another ca. I want to configure two virtual servers based on this details, if I can.
Sergio wrote:
Fernando escribió:
Sergio wrote:
Fernando escribió:
Sergio Yébenes Moreno wrote:
Ivan Kalik escribió:
> Ok. DNIe gives PUBLIC access control, to a public network > (university, madrid Wifi (jeje, gallardón va de rey alcalde) > etc), Dinamic keys, and all in 802.1x and, in consequence, > 802.11i. But probably we don't want everybody in this > network.Surely we hadn't spend money and time issuing > certificates to clients. Because of this, we have "autorizados" > file. Then, we only should issue certificates to radius. Clients > trust in my CA, and radius trust in "ministerio del interior" > jejeje, that sings certificates for everybody in Spain. >
I can see where you are heading with this. You want to use usernames/passwords *and* check client certificates. Freeradius doesn't support this. That is called PEAP-EAP-TLS and is supported in Microsoft-only networks.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
I don't want to use passwords. Only want to use what at this time is working: public domain eap-tls, but only students of an university, for example. Probably there are better methods to do this, but this works. I promise..... "identity" field in wpa_supplicant and cert's "commonName" in winXP clients. Now I want to put 3 virtual server, one for DNIe and one for another public CA (FNMT) that have less range than DNIe. I'd like to ask you, if you know. "authorize" section supports unlang and we can use User-Name, for example, to authenticate in any virtual server. I suspect that I can't do this based on signer of client certificate. The point is that common name in certificates signed by FNMT comes with a prefix well-known, and DNIe CommonName comes with a suffix well-known. I don't know how to begin.....hints file, sites-enabled, regular expressions....Freeradius virtual servers documentation shows virtual server based on IP, access points, server pools, but nothing about user credentials..... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mmmm.... Do you want authenticate people at different servers?. Use a proxy.
CLIENT ------------------> PROXY RADIUS ------------------> DNIe AUTH
------------------> MY CA AUTH
ok? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
mmmmm I see that I can authenticate users to different servers, based on the domain of user-name, using radius as a proxy. But I have "(AUTENTICACIÓN)" suffix for some users and "NOMBRE" prefix for the others. I think this will make me spent some time..... Thanks Fernando - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mmmm i don't understand... put a example :). what do you mean with "AUTENTICACION" and "NOMBRE"? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3260 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
"AUTENTICACIÓN" is a suffix of user-name, but only for those certificates that are subordinated to FNMT ca. "NOMBRE" is a prefix of user-name which have DNIe, subordinated to another ca. I want to configure two virtual servers based on this details, if I can. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
see section suffix in radiusd.conf it could help you.
"AUTENTICACIÓN" is a suffix of user-name, but only for those certificates that are subordinated to FNMT ca. "NOMBRE" is a prefix of user-name which have DNIe, subordinated to another ca. I want to configure two virtual servers based on this details, if I can.
OK. I had a look and found out that these are not really user certificates but electronic ID cards. Since you won't know which of the two authorities issued an ID card for your user (they probably could have both and use one today and another one tomorrow), you should duplicate your filtering user entries in users file: one with prefix, one with suffix. You should have several hunderd user entries in users file so doubling them will have very little impact on performance. But for every change to users file you will need to restart the server (AFAIK HUP-ing is still not recommended). Ivan Kalik Kalik Informatika ISP
Ivan Kalik escribió:
"AUTENTICACIÓN" is a suffix of user-name, but only for those certificates that are subordinated to FNMT ca. "NOMBRE" is a prefix of user-name which have DNIe, subordinated to another ca. I want to configure two virtual servers based on this details, if I can.
OK. I had a look and found out that these are not really user certificates but electronic ID cards.
Since you won't know which of the two authorities issued an ID card for your user (they probably could have both and use one today and another one tomorrow), you should duplicate your filtering user entries in users file: one with prefix, one with suffix.
You should have several hunderd user entries in users file so doubling them will have very little impact on performance. But for every change to users file you will need to restart the server (AFAIK HUP-ing is still not recommended).
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3260 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
Yeah. I was thinking about users file, using virtual server. If I've understood, it's like a "global variable". This is very simple and effective. At this moment I have two users with my two smartcard, for my own tests but without virtual servers. I'm just changing CA_file again and again but I'll look what Fernando says.....english makes me spend more time, but reducing......The most complicated thing that I've done with freeradius at this moment is tu put three intermediate authorities and root ca in the same CA_file, jejeje. Configure a basic freeradius is veri simple. Wpa_suppliucant with pkcs11 and DNIe have been more difficult for me. But this.....uf. Wikin'.... Thanks P.D.: ocsp would be so good.....
Ivan Kalik escribió:
"AUTENTICACIÓN" is a suffix of user-name, but only for those certificates that are subordinated to FNMT ca. "NOMBRE" is a prefix of user-name which have DNIe, subordinated to another ca. I want to configure two virtual servers based on this details, if I can.
OK. I had a look and found out that these are not really user certificates but electronic ID cards.
Since you won't know which of the two authorities issued an ID card for your user (they probably could have both and use one today and another one tomorrow), you should duplicate your filtering user entries in users file: one with prefix, one with suffix.
You should have several hunderd user entries in users file so doubling them will have very little impact on performance. But for every change to users file you will need to restart the server (AFAIK HUP-ing is still not recommended).
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3260 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com
Wow. I'm authenticating users from both ca's in the same server, just configuring two eap modules () and changing all references to eap module into sites-enabled/default. I've commented the $INCLUDE proxy.conf in radiusd.conf because I didn't need it but I have problems with sites-enabled/inner-tunnel. I don't need neither PEAP and TTLS so I've just moved this file to another directory because it's included in $INCLUDE sites-enabled/. I think it's a brute change.....and you? Thanks
participants (5)
-
Alan DeKok -
Fernando -
Ivan Kalik -
Sergio -
Sergio Yébenes Moreno