free radius 1.1.6 -eap-tls authentication
Keith Moores
kmm6b at virginia.edu
Thu May 17 15:33:44 CEST 2007
CRL's are not the best way to conduct authorization for EAP-TLS,
their control is too coarse when the goal is to enable/disable the
use of valid certificates use for different purposes and don't let
you assign other authorization info like what VLAN a user should be
assigned to.
The only option that currently works for access to real authorization
with EAP-TLS is to use the:
check_cert_cn = %{User-Name}
option in the tls section of eap.conf so you can be sure the outer
identity (User-Name) matches the inner identity in the certificate,
its then valid to check User-Name against another source for
authorization. If you don't perform this check you can't be sure the
outer identity (User-Name) has any relation to the the identity
represented by the certificate. This is only an option if your user
certificates contain the unique "user id" you will lookup for
authorization in the Common Name field, not in the Subject
Alternative Name - Principle Name field (which many organizations use
as their User certificate Common Names are not unique user identifiers).
-Keith
On May 17, 2007, at 1:49 AM, Alan DeKok wrote:
> anoop_c at sifycorp.com wrote:
>> 1 Where will i find the log of the authentication like....
>> username login ok...or login failed
>
> It's in "radius.log"
>
>> 2 One user\'s certificate if I installed in other user\'s laptop
>> it works.I want one user certificate should work in one laptop only.
>
> There's no real way of doing that. You *could* put the MAC address
> into the certificate, and have the RADIUS server check that against
> the
> MAC address in the RADIUS request, but there's no guarantee that will
> work. It can be spoofed, and it can break valid configurations.
>
>> 3 In users file i havn\'t added any certificate name as it is
>> eap-tls.So if i want to remove the user from n/w i don\'t have
>> control.Is ther any method like i can add the certificate names in
>> users file then only it should work
>
> Certificate revocation lists.
>
> Alan DeKok.
> --
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
> users.html
More information about the Freeradius-Users
mailing list