windows users having trouble authenticating
David Mitchell
mitchell at ucar.edu
Tue Aug 3 21:28:11 CEST 2010
Alan DeKok wrote:
> Sallee, Stephen (Jake) wrote:
>>> The various EAP methods *should* have tied usernames (i.e. domains)
>> to a field in the certificate. e.g. a cert with CN "radius at example.com"
>>> should be sent logins for "user at example.com", but NEVER sent logins
>> for "user at example.net"
>>
>> How does this workout with child domains? For example: I have two
>> domains 1) umhb.edu and 2) Cru.umhb.edu. "Cru" is a child of
>> "umhb.edu", if I get a single cert for FreeRADIUS.umhb.edu will it be ok
>> for authenticating users on both umhb.edu AND Cru.umhb.edu?
>
> I said it SHOULD have been that way. It doesn't work that way now.
>
> There is NO tying of certificate CNs to user names.
We should probably expand on that. With respect to the server's
certificate, there is nothing tying it to anything on any client I've
tested. The server's certificate is presented and you are allowed to
accept it. If it isn't signed by a trusted authority you may have to
click some additional warnings.
FreeRadius can of course compare the client certs CN to the username for
what it's worth. On most platforms, the user can put whatever they want
for the username though. Or on XP, it gets auto-filled with the value of
the CN from the clients certificate. So that particular check is of
dubious value.
With respect to Jake's question, I'm not sure if he's talking about the
server certificate or the client certificate. Strictly speaking, server
certificates are not really tied to a domain or DNS entry with EAP. I
don't think the client ever actually sees the true IP address of the
radius server or it's domain name. The NAS does (or might), but from the
client to the Radius server it's all encapsulated and strictly speaking
isn't IP traffic at all. You can use the server cert wherever you want,
no matter what DNS name is on it. As long as you can get the users to
click OK when they are presented with it, it will be fine.
-David Mitchell
--
-----------------------------------------------------------------
| David Mitchell (mitchell at ucar.edu) Network Engineer IV |
| Tel: (303) 497-1845 National Center for |
| FAX: (303) 497-1818 Atmospheric Research |
-----------------------------------------------------------------
More information about the Freeradius-Users
mailing list