I'm using FreeRADIUS and OpenSSL for EAP-TLS authentication. It's working correctly, but I don't know how to configure FreeRADIUS to enable CRL (Certificate Revocation List).
i think it's not possible for the moment.
I make a client's certificate signed by CA and this client can loggin. But if I revoke his certificate, he still can loggin. How can I configure FreeRADIUS to read the CRL from OpenSSL?
you will have to add code.
a propos, do you know ANY existing piece of software which checks the CRLs?
ciao artur
Here is the EAP section of my 'radiusd.conf' file:
eap { # Invoke the default supported EAP type when # EAP-Identity response is received default_eap_type = tls
# Default expiry time to clean the EAP list, # It is maintained to co-relate the # EAP-response for each EAP-request sent. timer_expire = 60
# Supported EAP-types #md5 { #}
## EAP-TLS is highly experimental EAP-Type at the moment. # Please give feedback on the mailing list. tls { private_key_password = izadisan private_key_file = /usr/local/openssl/ssl/certs/server/server.pem
# If Private key & Certificate are located in the # same file, then private_key_file & certificate_file # must contain the same file name. certificate_file = /usr/local/openssl/ssl/certs/server/server.pem
# Trusted Root CA list CA_file = /usr/local/openssl/ssl/certs/ca/ca.pem
dh_file = /usr/local/openssl/ssl/certs/dh random_file = /usr/local/openssl/ssl/certs/random # # This can never exceed MAX_RADIUS_LEN (4096) # preferably half the MAX_RADIUS_LEN, to # accomodate other attributes in RADIUS packet. # On most APs the MAX packet length is configured # between 1500 - 1600. In these cases, fragment # size should be <= 1024. # fragment_size = 1024
# include_length is a flag which is by default set to yes # If set to yes, Total Length of the message is included # in EVERY packet we send. # If set to no, Total Length of the message is included # ONLY in the First packet of a fragment series. # include_length = yes } }
Israel Cardenas.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html