eap/tls and central users file
We use freeradius for eap/tls authentication, where freeradius accepts every certificate from a certain ca, as long as it is nor revoked. For this only a minimal users file is neccessary to assign some attributes to users via a DEFAULT entry. This works so far without problems. If we want to allow only certificates with well known CNs to be accepted, we would have to add them to the users file and add a DEFAULT with type reject. Would it be possible, that fr only validates the certificates and proxies the CN as username to a central fr, that has the complete user db? If so, how could it be achieved? Norbert Wegener
Norbert Wegener <nw@sbs.de> wrote:
Would it be possible, that fr only validates the certificates and proxies the CN as username to a central fr, that has the complete user db? If so, how could it be achieved?
That's a bit awkward, because the proxied requests won't have any authentication data. A different solution would be to proxy *all* requests centrally, or copy some of the database information from the central site to the remote sites. Alan DeKok.
Alan DeKok wrote:
Norbert Wegener <nw@sbs.de> wrote:
Would it be possible, that fr only validates the certificates and proxies the CN as username to a central fr, that has the complete user db? If so, how could it be achieved?
That's a bit awkward, because the proxied requests won't have any authentication data.
A different solution would be to proxy *all* requests centrally,
Thanks. but that's what I want to avoide, because eap/tls authentication causes much more traffic than simple pap/chap etc.
or copy some of the database information from the central site to the remote sites.
And that to avoid was the main reason for the question. Norbert Wegener
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Norbert Wegener