eap/tls questions with freeradius

Fajar A. Nugraha list at fajar.net
Tue Dec 27 05:29:29 CET 2011


On Mon, Dec 26, 2011 at 9:44 PM, vazoumana fofana
<zoumlander at hotmail.com> wrote:
> sorry, i ve got persistents problems :
>
> - i filter client certificate under authenticate section (under eap) with :
> Auth-Type eap {
>                         if ( "%{TLS-Client-Cert-Subject}" =~ /OU=xxxxx/ ) {
>                                     reject
>                                             }
>         }.
> Firstly, it s' written on "default" file :
>  Please do not put "unlang" configurations into the "authenticate"
> #  section.  Put them in the "post-auth" section instead.  That's what
> #  the post-auth section is for.
> But, according to me , it's not right because i don't want to enter into
> post-auth. It must be rejected before.

Try authorize section. The usual method in authorize would be

update control {
    Auth-Type := reject
}

>
> secondly,
>
> with this configuration, i try to authenticate a client with certificate
> OU=xxxxx. According to mode debug, it seemed to work.
> Client (windows XP)
> requested 21 times without sucess. But at 22nd, it seemed authenticate
> sucessful because i see client which is associated to AP. after times (5-10
> minutes), Client seemed to be detached and entered in authenticating loop
> until succeed authenticating.

what does the debug log say? Did FR send access-accept?

>
> do you know why client success authenticating for a time ?

If FR send access-accept, look at debug log to see why it's accepting
the request.

If FR does NOT send access-accept, it's probably a bug in NAS.

> Is it possible to avoid request of certain client  ?

If they have a disctinct attribute (e.g. certificate, user-name,
calling-station-id, whatever), you can just use unlang.

> I restrict authentication request to chooser NAS. I want to avoid clients to
> enter loop authentication. But these client can request authentication
> through NAS choosen.

I have no idea what that means. Did you want to allow client A to
login from NAS X, but reject it if it tries to login from NAS Y? If
yes, try http://wiki.freeradius.org/Huntgroups or
http://wiki.freeradius.org/SQL%20Huntgroup%20HOWTO

-- 
Fajar




More information about the Freeradius-Users mailing list