Re: about "freeradius accepts anybody"

Thu, 10 Jul 2008 05:17:03 -0700 

Fernando escribió:



let me see... at this time...  can all client with a valid 
certificate  gain  access to the network?


Sergio Yébenes Moreno wrote:

Fernando escribió:


I don't understand, what is your goal?

Sergio Yébenes Moreno wrote:

Using eap-tls we can make a "filter" to users, based on different 
attibutes (I think). In my case, the "identity" field in 
wpa_supplicant.conf.


Freeradius config:

file users contains this
.....
.....
$INCLUDE autorizados
DEFAULT    Auth-Type := Reject
                    Reply-Message = "out"
......
......

file autorizados contains this
"user1"    Cleartext-Password := ""
               Reply-Message = "Autorizando....."
               Fall-Through = No
"user2" ............
...........


I had to make this because I'm not the signer of client 
certificates, only for server. I hope that somebody will help this.

-

List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




-

List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



__________ Información de NOD32, revisión 3257 (20080710) __________

Este mensaje ha sido analizado con NOD32 antivirus system
http://www.nod32.com




To use eap-tls with client certs signed by a public CA. Public CA 
means that I can't do anything with this. But I don't want that 
everybody comes to my network. I know that my english isn't very 
clear, but I think it's very simple. Clients are in a public PKI. 
Servers are in my own PKI. Clients trust in my PKI, servers trust in 
this public PKI. But servers only authorize some users.

-

List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




-

List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



__________ Información de NOD32, revisión 3257 (20080710) __________

Este mensaje ha sido analizado con NOD32 antivirus system
http://www.nod32.com




Ok. DNIe gives PUBLIC access control, to a public network (university, 
madrid Wifi (jeje, gallardón va de rey alcalde) etc), Dinamic keys, and 
all in 802.1x and, in consequence, 802.11i. But probably we don't want 
everybody in this network.Surely we hadn't spend money and time issuing 
certificates to clients. Because of this, we have "autorizados" file. 
Then, we only should issue certificates to radius. Clients trust in my 
CA, and radius trust in "ministerio del interior" jejeje, that sings 
certificates for everybody in Spain.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to