about "freeradius accepts anybody"
Fernando
fbernal at um.es
Thu Jul 10 13:55:08 CEST 2008
Sergio Yébenes Moreno wrote:
> Fernando escribió:
>>
>> let me see... at this time... can all client with a valid
>> certificate gain access to the network?
>>
>> Sergio Yébenes Moreno wrote:
>>> Fernando escribió:
>>>>
>>>> I don't understand, what is your goal?
>>>>
>>>> Sergio Yébenes Moreno wrote:
>>>>> Using eap-tls we can make a "filter" to users, based on different
>>>>> attibutes (I think). In my case, the "identity" field in
>>>>> wpa_supplicant.conf.
>>>>>
>>>>> Freeradius config:
>>>>>
>>>>> file users contains this
>>>>> .....
>>>>> .....
>>>>> $INCLUDE autorizados
>>>>> DEFAULT Auth-Type := Reject
>>>>> Reply-Message = "out"
>>>>> ......
>>>>> ......
>>>>>
>>>>> file autorizados contains this
>>>>> "user1" Cleartext-Password := ""
>>>>> Reply-Message = "Autorizando....."
>>>>> Fall-Through = No
>>>>> "user2" ............
>>>>> ...........
>>>>>
>>>>> I had to make this because I'm not the signer of client
>>>>> certificates, only for server. I hope that somebody will help this.
>>>>> -
>>>>> List info/subscribe/unsubscribe? See
>>>>> http://www.freeradius.org/list/users.html
>>>>>
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>>
>>>>
>>>> __________ Información de NOD32, revisión 3257 (20080710) __________
>>>>
>>>> Este mensaje ha sido analizado con NOD32 antivirus system
>>>> http://www.nod32.com
>>>>
>>>>
>>>>
>>> To use eap-tls with client certs signed by a public CA. Public CA
>>> means that I can't do anything with this. But I don't want that
>>> everybody comes to my network. I know that my english isn't very
>>> clear, but I think it's very simple. Clients are in a public PKI.
>>> Servers are in my own PKI. Clients trust in my PKI, servers trust in
>>> this public PKI. But servers only authorize some users.
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>> __________ Información de NOD32, revisión 3257 (20080710) __________
>>
>> Este mensaje ha sido analizado con NOD32 antivirus system
>> http://www.nod32.com
>>
>>
>>
> No. Only if they are in "autorizados" file. I've checked it with
> wpa_supplicant, changing the "identity" field, but with the same
> certificate. The certificate are signed by a public CA. Its the DNIe
> in Spain. Probably you know it. Because of this, I should have a
> "filter" to users. This is my proyect at university. To use DNIe in my
> home network aren't in my objectives.
> -
anyone that has a DNIe can access to your home network. I mean that you
must have two phases first user authentication with DNIe and other a
process of authorization. You do the authorization process with the file
"autorizados". So, what is the problem?
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list