Re: EAP-TLS with different CA per user?
Alan DeKok wrote:
Frank Sweetser wrote:
The usernames currently don't have a domain portion. Would it be possible for
me to set a default domain for a given username? (The list is small, so would
be manageable for me.) And if so, could you give me at least a rough example
of how I would set this up?
You can configure two different versions of the EAP module. Each one
has it's own server cert CA. Then, in the authorize section, do:
authorize {
...
if (User-Name == user1) {
eap_1
}
elsif (User-Name == user2) {
eap_2
}
...
}
authenticate {
...
eap_1
eap_2
...
}
That should work.
Alan DeKok.
This worked perfectly, Alan. Thanks again!
--
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS with different CA per user?
Alan DeKok wrote:
Frank Sweetser wrote:
The usernames currently don't have a domain portion. Would it be possible
for
me to set a default domain for a given username? (The list is small, so
would
be manageable for me.) And if so, could you give me at least a rough example
of how I would set this up?
You can configure two different versions of the EAP module. Each one
has it's own server cert CA. Then, in the authorize section, do:
authorize {
...
if (User-Name == user1) {
eap_1
}
elsif (User-Name == user2) {
eap_2
}
...
}
authenticate {
...
eap_1
eap_2
...
}
That should work.
That looks exactly like what I was looking for - thanks! I'll give this a
shot on Monday and report back on how it worked...
--
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS with different CA per user?
SecureW2 (List) wrote: Frank, It is not really a configuration issue, but more an Identity Management issue. It is not common to have a CA per user, but a CA per domain. And per domain you have users. In general, I certainly agree. The catch is that I'm attempting to handle certs and CAs that are already out on some users machines. Worst case, I can start having everyone update certs as needed, but it would be far less hassle for me to handle it in freeradius. So: User X from domain A has CA 1. User Y from domain B has CA 2. If this is what you are trying to achieve you can simply setup a configuration per domain/realm of these users. The usernames currently don't have a domain portion. Would it be possible for me to set a default domain for a given username? (The list is small, so would be manageable for me.) And if so, could you give me at least a rough example of how I would set this up? -- Frank Sweetser fs at wpi.edu | For every problem, there is a solution that WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS with different CA per user?
I have a configuration which I need, but haven't been able to figure out how to make freeradius do it. I have two users, A and B, both authenticating over wireless using EAP-TLS. User A has a certificate which has been signed by CA X, and B has one signed by CA Y. What I need is to tell freeradius that certificates presented by user A should only be checked against CA X, and similarly B only by Y. Putting both X and Y in the same CA list won't work in this case due to what appears to be a limitation in OpenSSL. I've been over all the existing docs I can find, and I haven't been able any way to do this. Anyone have any suggestion what I might try? -- Frank Sweetser fs at wpi.edu | For every problem, there is a solution that WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
