Re: EAP-TLS authentication and Certificate Revocation List

[Artur Hecker]

hi


I'm using FreeRADIUS and OpenSSL for EAP-TLS authentication. It's working
correctly, but I don't know how to configure FreeRADIUS to enable CRL
(Certificate Revocation List).
i think it's not possible for the moment.


I make a client's certificate signed by CA and this client can loggin. But
if I revoke his certificate, he still can loggin. How can I configure
FreeRADIUS to read the CRL from OpenSSL?
you will have to add code.

a propos, do you know ANY existing piece of software which checks the CRLs?

ciao
artur




Here is the EAP section of my 'radiusd.conf' file:

        eap {
                # Invoke the default supported EAP type when
                # EAP-Identity response is received
                default_eap_type = tls
                # Default expiry time to clean the EAP list,
                # It is maintained to co-relate the
                # EAP-response for each EAP-request sent.
                timer_expire     = 60
                # Supported EAP-types
                #md5 {
                #}
                ## EAP-TLS is highly experimental EAP-Type at the moment.
                #       Please give feedback on the mailing list.
                tls {
                        private_key_password = izadisan
                        private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
                #       If Private key & Certificate are located in the
                #       same file, then private_key_file & certificate_file
                #       must contain the same file name.
                        certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
                #       Trusted Root CA list
                        CA_file = /usr/local/openssl/ssl/certs/ca/ca.pem
                        dh_file = /usr/local/openssl/ssl/certs/dh
                        random_file = /usr/local/openssl/ssl/certs/random
                #
                #       This can never exceed MAX_RADIUS_LEN (4096)
                #       preferably half the MAX_RADIUS_LEN, to
                #       accomodate other attributes in RADIUS packet.
                #       On most APs the MAX packet length is configured
                #       between 1500 - 1600. In these cases, fragment
                #       size should be <= 1024.
                #
                        fragment_size = 1024
                #       include_length is a flag which is by default set to
yes
                #       If set to yes, Total Length of the message is
included
                #       in EVERY packet we send.
                #       If set to no, Total Length of the message is
included
                #       ONLY in the First packet of a fragment series.
                #
                        include_length = yes
                }
        }
Israel Cardenas.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Artur Hecker
Département Informatique et Réseaux, ENST Paris
http://www.infres.enst.fr/~hecker
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html