Certificate-based client side authentication towards a website with freeradius

Jay Xiong jayxiong007 at gmail.com
Wed Jul 1 21:24:46 CEST 2009


Martin,

If you want to leverage the existing user profiles in the RADIUS
server for authentication, authorization, this Internet Draft TLS-EAP
Extension http://tools.ietf.org/html/draft-nir-tls-eap-06 might be
what you are looking for. Unfortunately, there is no implementation up
to date as far as I know.

I am designing and developing the software for this Internet draft
based on OpenSSL, EAP module from wpa-supplicant and freeradius
client. Please let me know any special requirements if you are
interested in using TLS-EAP Extension.

Thanks,

jay

On Wed, Jul 1, 2009 at 2:14 PM, Alan DeKok<aland at deployingradius.com> wrote:
> Martin Schneider wrote:
>> We need also authorization. So we want to
>>
>> 1.) check if the certificate is signed by a "trusted ca"
>
>  That is done by the normal certificate validation process.
>
>> 2.) check if the username x in the certificate is "known"
>
>  What does that mean?  If the CA signed the certificate, then the
> usename is known.  Why would the CA sign a certificate for an unknown user?
>
>> 3.) check if the user with name x is authorized to access the service.
>
>  That can be done with RADIUS.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list