user(name) and EAP-TLS
Klaus Klein
k.klein at gmx.de
Sat Aug 4 16:13:31 CEST 2012
Am 04.08.2012 12:57, schrieb Matthew Newton:
> On Sat, Aug 04, 2012 at 11:10:38AM +0200, Klaus Klein wrote:
>> Therefore I'm a bit puzzled that if no matching entry in users
>> is found that the authentication still takes place.
>
> Try one of:
>
> a) move files above eap in sites-enabled/default. This will mean
> that the eap short-circuit won't skip files. It will also mean
> that you hit files a lot more than before, which will have a
> performance impact (the scale of which depends on the number of
> auths, of course).
>
> b) use 3.0, and set a virtual_server for tls. You can then run
> files in that, and check attributes before accepting or
> otherwise.
>
> c) backport the tls virtual server patch to 2.x - it's pretty
> simple.
Thanks for your suggestions. I guess I'll try them in the order a, c, b.
But maybe I should have been a bit more precise in my first email.
The final (first) productive installation should protect the access to my private WLAN with 3+ APs and 10+ clients.
So the performance impact in suggestion a) will be limited. ;-)
Currently I have set up a test environment to try and learn and, as a side effect to a more secure WLAN, a more detailed understanding of how (free)RADIUS works.
Cheers,
Klaus
More information about the Freeradius-Users
mailing list