about "freeradius accepts anybody"
Sergio Yébenes Moreno
sergioyebenes at alumnos.upm.es
Fri Jul 11 13:10:51 CEST 2008
Fernando escribió:
>
> let me see... at this time... can all client with a valid
> certificate gain access to the network?
>
> Sergio Yébenes Moreno wrote:
>> Fernando escribió:
>>>
>>> I don't understand, what is your goal?
>>>
>>> Sergio Yébenes Moreno wrote:
>>>> Using eap-tls we can make a "filter" to users, based on different
>>>> attibutes (I think). In my case, the "identity" field in
>>>> wpa_supplicant.conf.
>>>>
>>>> Freeradius config:
>>>>
>>>> file users contains this
>>>> .....
>>>> .....
>>>> $INCLUDE autorizados
>>>> DEFAULT Auth-Type := Reject
>>>> Reply-Message = "out"
>>>> ......
>>>> ......
>>>>
>>>> file autorizados contains this
>>>> "user1" Cleartext-Password := ""
>>>> Reply-Message = "Autorizando....."
>>>> Fall-Through = No
>>>> "user2" ............
>>>> ...........
>>>>
>>>> I had to make this because I'm not the signer of client
>>>> certificates, only for server. I hope that somebody will help this.
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>>
>>> __________ Información de NOD32, revisión 3257 (20080710) __________
>>>
>>> Este mensaje ha sido analizado con NOD32 antivirus system
>>> http://www.nod32.com
>>>
>>>
>>>
>> To use eap-tls with client certs signed by a public CA. Public CA
>> means that I can't do anything with this. But I don't want that
>> everybody comes to my network. I know that my english isn't very
>> clear, but I think it's very simple. Clients are in a public PKI.
>> Servers are in my own PKI. Clients trust in my PKI, servers trust in
>> this public PKI. But servers only authorize some users.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> __________ Información de NOD32, revisión 3257 (20080710) __________
>
> Este mensaje ha sido analizado con NOD32 antivirus system
> http://www.nod32.com
>
>
>
No. Only if they are in "autorizados" file. I've checked it with
wpa_supplicant, changing the "identity" field, but with the same
certificate. The certificate are signed by a public CA. Its the DNIe in
Spain. Probably you know it. Because of this, I should have a "filter"
to users. This is my proyect at university. To use DNIe in my home
network aren't in my objectives.
More information about the Freeradius-Users
mailing list