Everything lookslike it works, but PC is not authentified
Alexandros Gougousoudis
gougousoudis at kh-berlin.de
Mon Sep 4 12:31:25 CEST 2006
Hi,
K. Hoercher schrieb:
> No, you don't.
> from Alan's post:
> # 1.3.6.1.4.1.311.17.2
> and "TLS Web Client Authentication" is 1.3.6.1.5.5.7.3.2
Hm, with Alans OID there is no communication between Radius and the
client. If I use the OID indicated in most HowTOs (like
http://www.hep.phys.soton.ac.uk/~jhe/documents/WPA-Authentication+RADIUS-HOWTO.html)
there is a conversation between them. Ok the authentification fails at
last. To write it again, I use W2k not XP, maybe the problem is
somewhere in there, but I doubt it, because menus and functions are the
same as in XP.
> you don't check for the CN. Afaik you might strip it by using the
> with_ntdomain_hack directive.
I've seen that directive, but exactly where should it be enabled in the
config? I think it can't be set in the eap.conf, where it makes the most
sense.
> Further changes changes depend on the eap type you want to use. I have
> already asked about that.
I didn't understand that question. I want to make a machine-based
authentification based on certificates on the clients. If the cert is
ok, the Ethernet-Port will be switched through. AFAIK this is done with
Windows-CLients using EAP-TLS. Thats all auth I need, the user at the
client must not be checked, even the clients name must not be checked
against an sql or ldap (maybe later).
The HowTO says AuthType := EAP would be right. Ok, here on the list
everybody says "Don't use AuthType", but nobody says what to use else... :-)
TIA
Alex
--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)
Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule
für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst
Busch".
Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
More information about the Freeradius-Users
mailing list