about "freeradius accepts anybody"

Sergio Yébenes Moreno sergioyebenes at alumnos.upm.es
Fri Jul 11 13:41:56 CEST 2008


Fernando escribió:
>
> let me see... at this time...  can all client with a valid 
> certificate  gain  access to the network?
>
> Sergio Yébenes Moreno wrote:
>> Fernando escribió:
>>>
>>> I don't understand, what is your goal?
>>>
>>> Sergio Yébenes Moreno wrote:
>>>> Using eap-tls we can make a "filter" to users, based on different 
>>>> attibutes (I think). In my case, the "identity" field in 
>>>> wpa_supplicant.conf.
>>>>
>>>> Freeradius config:
>>>>
>>>> file users contains this
>>>> .....
>>>> .....
>>>> $INCLUDE autorizados
>>>> DEFAULT    Auth-Type := Reject
>>>>                     Reply-Message = "out"
>>>> ......
>>>> ......
>>>>
>>>> file autorizados contains this
>>>> "user1"    Cleartext-Password := ""
>>>>                Reply-Message = "Autorizando....."
>>>>                Fall-Through = No
>>>> "user2" ............
>>>> ...........
>>>>
>>>> I had to make this because I'm not the signer of client 
>>>> certificates, only for server. I hope that somebody will help this.
>>>> -
>>>> List info/subscribe/unsubscribe? See 
>>>> http://www.freeradius.org/list/users.html
>>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See 
>>> http://www.freeradius.org/list/users.html
>>>
>>>
>>> __________ Información de NOD32, revisión 3257 (20080710) __________
>>>
>>> Este mensaje ha sido analizado con NOD32 antivirus system
>>> http://www.nod32.com
>>>
>>>
>>>
>> To use eap-tls with client certs signed by a public CA. Public CA 
>> means that I can't do anything with this. But I don't want that 
>> everybody comes to my network. I know that my english isn't very 
>> clear, but I think it's very simple. Clients are in a public PKI. 
>> Servers are in my own PKI. Clients trust in my PKI, servers trust in 
>> this public PKI. But servers only authorize some users.
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
>
> __________ Información de NOD32, revisión 3257 (20080710) __________
>
> Este mensaje ha sido analizado con NOD32 antivirus system
> http://www.nod32.com
>
>
>
Ok. DNIe gives PUBLIC access control, to a public network (university, 
madrid Wifi (jeje, gallardón va de rey alcalde) etc), Dinamic keys, and 
all in 802.1x and, in consequence, 802.11i. But probably we don't want 
everybody in this network.Surely we hadn't spend money and time issuing 
certificates to clients. Because of this, we have "autorizados" file. 
Then, we only should issue certificates to radius. Clients trust in my 
CA, and radius trust in "ministerio del interior" jejeje, that sings 
certificates for everybody in Spain.



More information about the Freeradius-Users mailing list