How to use CRL by PEAP authentication

Kouji Amemiya amemiya at allied-telesis.co.jp
Mon Dec 26 12:16:06 CET 2005


Hi Klaus,

> For peap you don't use a certificate on the client (better:
> supplicant) side, so it is not checked. What you seem to have revoked
> is the certficate the server presents to the supplicant, which has no
> part in deciding to authorize/authenticate the user.

It is as surely your telling.
I did not understand PEAP's specification, but I know it.

Thank you for your answering!

Best Regards,
Kouji Amemiya


On Fri, 16 Dec 2005 12:39:42 +0100
wbh <wbhoer at gmail.com> wrote:

> On 12/16/05, Kouji Amemiya <amemiya at allied-telesis.co.jp> wrote:
> > I was using the certificate published by OpenSSL, I revoked this certificate.
> > (Herewith, this certificate's information was written on CRL.)
> >
> > And I attempted PEAP authentication by this revoked certificate,
> > but authentication result was "Access-Accept".
> 
> For peap you don't use a certificate on the client (better:
> supplicant) side, so it is not checked. What you seem to have revoked
> is the certficate the server presents to the supplicant, which has no
> part in deciding to authorize/authenticate the user.
> 
> Why the supplicant doesn't refuse the supposedly revoked server
> certificate would be interesting (you could look into your setup, if
> the supplicant did check for the latest CRL of the certicate's
> issuer), but is unresponsive to your original question.
> 
> Regards,
> Klaus Hvrcher
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






More information about the Freeradius-Users mailing list