Some questions about freeRADIUS implementation, PLEASE HELP ME!!

alfonso celestino zen_cma at yahoo.com.mx
Thu Sep 8 20:05:39 CEST 2005 

Hi, Davies , Thanks for your Help, I have another
question.
 
> >2. At the second stage we will implement a PKI and
> >we'll use EAP-TLS and my doubt is about
> >   LDAP data base and simultaneous-use, for example
> >with EAP-PEAP I add the next lines to users file :
> > 
> >.......
> >DEFAULT        Ldap-Group == group1,
> Simultaneous-Use
> >:= 1
> >              Aruba-User-Role = "ESTUDIANTE",
> >
> >DEFAULT        Ldap-Group == group2,
> Simultaneous-Use
> >:= 1
> >              Aruba-User-Role = "PROFESORES",
> >DEFAULT ....
> >.....
> >
> >And work perfectly, But what happen if we use
> EAP-TLS
> >--> client certificates, exists any way to obtain
> the
> >same results? 
> 
> If you are providing each client with a certificate
> signed by your CA and the RADIUS servers both have
> the certificate of the root CA, then they'll be able
> to authenticate the clients based on the signature
> of the root CA.  LDAP is used for authorization
> anyway so you'll use that independently based on the
> username in the certificate CN.
> 
> >,if it is affirmative, how can I do it (some
> >references, howto's)
> >!!because when I use EAP-TLS I don't need to add
> >nothing at users file nor in LDAP data base!!.
> 
> You can add authorization in the LDAP database.  It
> is not used (by EAP-TLS or PEAP/MS-CHAPv2) for
> authentication.  Note, if you're using
> PEAP/MS-CHAPv2 and LDAP and you want to store the
> password in the LDAP database, it *must* be in plain
> text.
> 

Here my doubt:
I am using EAP-TLS
I generated a client Certificate with CN "redes"

then I add at LDAP database a user with these
atributes

cn: redes
uid: redes
radiusGroupName: academicos
..others Attributes
but without userpassword

and in the users file i add:

DEFAULT        Ldap-Group == academicos,
Simultaneous-Use := 1
              Aruba-User-Role = "STAFF",

A user with client certificate can access at Wireless
network and get the Role STAFF perfectly, but the
process of authentication and authorization seems like
very very redundant, is normal that?. I attach the
file  of process auth.

thanks

Alfonso Celestino
DGSCA,UNAM


	
	
		
___________________________________________________________ 
Do You Yahoo!? 
La mejor conexión a Internet y <b >2GB</b> extra a tu correo por $100 al mes. http://net.yahoo.com.mx 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: auth-process.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050908/769879bf/attachment.txt>

More information about the Freeradius-Users mailing list