windows users having trouble authenticating

Sallee, Stephen (Jake) Jake.Sallee at umhb.edu
Tue Aug 3 20:41:55 CEST 2010


>  The various EAP methods *should* have tied usernames (i.e. domains)
to a field in the certificate.  e.g. a cert with CN "radius at example.com"
>  should be sent logins for "user at example.com", but NEVER sent logins
for "user at example.net"

How does this workout with child domains?  For example: I have two
domains 1) umhb.edu and 2) Cru.umhb.edu.  "Cru" is a child of
"umhb.edu", if I get a single cert for FreeRADIUS.umhb.edu will it be ok
for authenticating users on both umhb.edu AND Cru.umhb.edu?

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-----Original Message-----
From: freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.o
rg] On Behalf Of Alan DeKok
Sent: Tuesday, August 03, 2010 1:13 PM
To: FreeRadius users mailing list
Subject: Re: windows users having trouble authenticating

John Dennis wrote:
> On 08/03/2010 01:30 PM, Alan DeKok wrote:
>> Using a known root CA for RADIUS authentication isn't really 
>> recommended.
> 
> Why?
> 
> P.S. just to clarify, it's not "using a known root CA for RADIUS 
> authentication", rather it's using a server cert signed by a known 
> root CA.

  Sure.

  It's because *anyone* can set up an AP, and a RADIUS server that your
PC will accept.  If the AP has the same SSID as (say) your work, it will
happily send your work username && login via EAP to the rogue AP.

  The various EAP methods *should* have tied usernames (i.e. domains) to
a field in the certificate.  e.g. a cert with CN "radius at example.com"
should be sent logins for "user at example.com", but NEVER sent logins for
"user at example.net"

  You should ONLY send your login credentials when you *know* who it is
on the other end of the EAP conversation.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list