about "freeradius accepts anybody"

Sergio sergioyebenes at alumnos.upm.es
Sat Jul 12 13:22:28 CEST 2008 

Fernando escribió:
> Sergio wrote:
>> Fernando escribió:
>>> Sergio Yébenes Moreno wrote:
>>>> Ivan Kalik escribió:
>>>>>> Ok. DNIe gives PUBLIC access control, to a public network 
>>>>>> (university, madrid Wifi (jeje, gallardón va de rey alcalde) 
>>>>>> etc), Dinamic keys, and all in 802.1x and, in consequence, 
>>>>>> 802.11i. But probably we don't want everybody in this 
>>>>>> network.Surely we hadn't spend money and time issuing 
>>>>>> certificates to clients. Because of this, we have "autorizados" 
>>>>>> file. Then, we only should issue certificates to radius. Clients 
>>>>>> trust in my CA, and radius trust in "ministerio del interior" 
>>>>>> jejeje, that sings certificates for everybody in Spain.
>>>>>>     
>>>>>
>>>>> I can see where you are heading with this. You want to use
>>>>> usernames/passwords *and* check client certificates. Freeradius 
>>>>> doesn't
>>>>> support this. That is called PEAP-EAP-TLS and is supported in
>>>>> Microsoft-only networks.
>>>>>
>>>>> Ivan Kalik
>>>>> Kalik Informatika ISP
>>>>>
>>>>> -
>>>>> List info/subscribe/unsubscribe? See 
>>>>> http://www.freeradius.org/list/users.html
>>>>>
>>>>>
>>>>> __________ Información de NOD32, revisión 3257 (20080710) __________
>>>>>
>>>>> Este mensaje ha sido analizado con NOD32 antivirus system
>>>>> http://www.nod32.com
>>>>>
>>>>>
>>>>>
>>>>>   
>>>> I don't want to use passwords. Only want to use what at this time 
>>>> is working: public domain eap-tls, but only students of an 
>>>> university, for example. Probably there are better methods to do 
>>>> this, but this works. I promise..... "identity" field in 
>>>> wpa_supplicant and cert's "commonName" in winXP clients.
>>>> Now  I want to put 3 virtual server, one for DNIe and one for 
>>>> another public CA (FNMT) that have less range than DNIe. I'd like 
>>>> to ask you, if you know. "authorize" section supports unlang and we 
>>>> can use User-Name, for example, to authenticate in any virtual 
>>>> server. I suspect that I can't do this based on signer of client 
>>>> certificate. The point is that common name in certificates signed 
>>>> by FNMT comes with a prefix well-known, and DNIe CommonName comes 
>>>> with a suffix well-known. I don't know how to begin.....hints file, 
>>>> sites-enabled, regular expressions....Freeradius virtual servers 
>>>> documentation shows virtual server based on IP, access points, 
>>>> server pools, but nothing about user credentials.....
>>>> -
>>>> List info/subscribe/unsubscribe? See 
>>>> http://www.freeradius.org/list/users.html
>>>>
>>> mmmm.... Do you want authenticate people at different servers?.  Use 
>>> a proxy.
>>>
>>>
>>>              CLIENT ------------------> PROXY RADIUS 
>>> ------------------> DNIe AUTH
>>>                                                                         
>>>   ------------------> MY CA AUTH
>>>
>>> ok?
>>> -
>>> List info/subscribe/unsubscribe? See 
>>> http://www.freeradius.org/list/users.html
>>>
>>>
>>> __________ Información de NOD32, revisión 3257 (20080710) __________
>>>
>>> Este mensaje ha sido analizado con NOD32 antivirus system
>>> http://www.nod32.com
>>>
>>>
>>>
>> mmmmm I see that I can authenticate users to different servers, based 
>> on the domain of user-name, using radius as a proxy. But I have 
>> "(AUTENTICACIÓN)" suffix for some users and "NOMBRE" prefix for the 
>> others. I think this will make me spent some time.....
>> Thanks Fernando
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
> mmmm i don't understand... put a example :). what do you mean with 
> "AUTENTICACION" and "NOMBRE"?
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
>
> __________ Información de NOD32, revisión 3260 (20080710) __________
>
> Este mensaje ha sido analizado con NOD32 antivirus system
> http://www.nod32.com
>
>
>
"AUTENTICACIÓN" is a suffix of user-name, but only for those 
certificates that are subordinated to FNMT ca. "NOMBRE" is a prefix of 
user-name which have DNIe, subordinated to another ca. I want to 
configure two virtual servers  based on this details, if I can.

More information about the Freeradius-Users mailing list