Sergio Yébenes Moreno wrote:
Fernando escribió:
let me see... at this time... can all client with a valid
certificate gain access to the network?
Sergio Yébenes Moreno wrote:
Fernando escribió:
I don't understand, what is your goal?
Sergio Yébenes Moreno wrote:
Using eap-tls we can make a "filter" to users, based on different
attibutes (I think). In my case, the "identity" field in
wpa_supplicant.conf.
Freeradius config:
file users contains this
.....
.....
$INCLUDE autorizados
DEFAULT Auth-Type := Reject
Reply-Message = "out"
......
......
file autorizados contains this
"user1" Cleartext-Password := ""
Reply-Message = "Autorizando....."
Fall-Through = No
"user2" ............
...........
I had to make this because I'm not the signer of client
certificates, only for server. I hope that somebody will help this.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system
http://www.nod32.com
To use eap-tls with client certs signed by a public CA. Public CA
means that I can't do anything with this. But I don't want that
everybody comes to my network. I know that my english isn't very
clear, but I think it's very simple. Clients are in a public PKI.
Servers are in my own PKI. Clients trust in my PKI, servers trust in
this public PKI. But servers only authorize some users.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system
http://www.nod32.com
No. Only if they are in "autorizados" file. I've checked it with
wpa_supplicant, changing the "identity" field, but with the same
certificate. The certificate are signed by a public CA. Its the DNIe
in Spain. Probably you know it. Because of this, I should have a
"filter" to users. This is my proyect at university. To use DNIe in my
home network aren't in my objectives.
-
anyone that has a DNIe can access to your home network. I mean that you
must have two phases first user authentication with DNIe and other a
process of authorization. You do the authorization process with the file
"autorizados". So, what is the problem?
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
