about "freeradius accepts anybody"

Fernando fbernal at um.es
Thu Jul 10 15:41:44 CEST 2008 

Sergio Yébenes Moreno wrote:
> Ivan Kalik escribió:
>>> Ok. DNIe gives PUBLIC access control, to a public network 
>>> (university, madrid Wifi (jeje, gallardón va de rey alcalde) etc), 
>>> Dinamic keys, and all in 802.1x and, in consequence, 802.11i. But 
>>> probably we don't want everybody in this network.Surely we hadn't 
>>> spend money and time issuing certificates to clients. Because of 
>>> this, we have "autorizados" file. Then, we only should issue 
>>> certificates to radius. Clients trust in my CA, and radius trust in 
>>> "ministerio del interior" jejeje, that sings certificates for 
>>> everybody in Spain.
>>>     
>>
>> I can see where you are heading with this. You want to use
>> usernames/passwords *and* check client certificates. Freeradius doesn't
>> support this. That is called PEAP-EAP-TLS and is supported in
>> Microsoft-only networks.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>>
>> __________ Información de NOD32, revisión 3257 (20080710) __________
>>
>> Este mensaje ha sido analizado con NOD32 antivirus system
>> http://www.nod32.com
>>
>>
>>
>>   
> I don't want to use passwords. Only want to use what at this time is 
> working: public domain eap-tls, but only students of an university, 
> for example. Probably there are better methods to do this, but this 
> works. I promise..... "identity" field in wpa_supplicant and cert's 
> "commonName" in winXP clients.
> Now  I want to put 3 virtual server, one for DNIe and one for another 
> public CA (FNMT) that have less range than DNIe. I'd like to ask you, 
> if you know. "authorize" section supports unlang and we can use 
> User-Name, for example, to authenticate in any virtual server. I 
> suspect that I can't do this based on signer of client certificate. 
> The point is that common name in certificates signed by FNMT comes 
> with a prefix well-known, and DNIe CommonName comes with a suffix 
> well-known. I don't know how to begin.....hints file, sites-enabled, 
> regular expressions....Freeradius virtual servers documentation shows 
> virtual server based on IP, access points, server pools, but nothing 
> about user credentials.....
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
mmmm.... Do you want authenticate people at different servers?.  Use a 
proxy.


              CLIENT ------------------> PROXY RADIUS 
------------------> DNIe AUTH
                                                                         
   ------------------> MY CA AUTH

ok?

More information about the Freeradius-Users mailing list