eap/tls questions with freeradius

vazoumana fofana zoumlander at hotmail.com
Mon Dec 26 15:44:56 CET 2011


sorry, i ve got persistents problems :

- i filter client certificate under authenticate section (under eap) with : Auth-Type eap {
                        if ( "%{TLS-Client-Cert-Subject}" =~ /OU=xxxxx/ ) {
                                    reject
                                            }
        }.
Firstly, it s' written on "default" file :
 Please do not put "unlang" configurations into the "authenticate"
#  section.  Put them in the "post-auth" section instead.  That's what
#  the post-auth section is for.
But, according to me , it's not right because i don't want to enter into post-auth. It must be rejected before.

secondly,

with this configuration, i try to authenticate a client with certificate OU=xxxxx. According to mode debug, it seemed to work. Client (windows XP) requested 21 times without sucess. But at 22nd, it seemed authenticate sucessful because i see client which is associated to AP. after times (5-10 minutes), Client seemed to be detached and entered in authenticating loop until succeed authenticating.

do you know why client success authenticating for a time ?
Is it possible to avoid request of certain client  ?
I restrict authentication request to chooser NAS. I want to avoid clients to enter loop authentication. But these client can request authentication through NAS choosen.

Cheers.



From: zoumlander at hotmail.com
To: freeradius-users at lists.freeradius.org
Subject: RE: eap/tls questions with freeradius
Date: Fri, 23 Dec 2011 10:32:54 +0000







Thanks!!!

> Date: Fri, 23 Dec 2011 16:26:20 +0700
> Subject: Re: eap/tls questions with freeradius
> From: list at fajar.net
> To: freeradius-users at lists.freeradius.org
> 
> On Fri, Dec 23, 2011 at 3:54 PM, vazoumana fofana
> <zoumlander at hotmail.com> wrote:
> >
> > Do you know where i can insert script to add new fonctions  like described
> > in my previous email ?
> > When client sends its certificate , server checks before username or
> > certificate validity ?
> 
> Try:
> - http://wiki.freeradius.org/Sites%20configuration
> - http://freeradius.org/radiusd/man/unlang.html
> - http://wiki.freeradius.org/Rlm_perl
> 
> Use unlang and attributes (such as TLS-Client-Cert-Common-Name) to do
> whatever filtering you want. If you need complex processing, you might
> have to use rlm_perl as well.
> 
> -- 
> Fajar
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 		 	   		   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111226/966fbc48/attachment.html>


More information about the Freeradius-Users mailing list