Artur Hecker <[EMAIL PROTECTED]> wrote:
> oh.. so theoretically the server needs a "special" server certificate
> enabling it to sign something, right? (with the right extensions, etc.)
Yes. See the tls{} configuration. It points to a server
certificate. The client certificates are signed with this certificate.
> yes ok. but if you just want to block a user for a while, you can still
> apply the rest of the authorization, right?
Yes. You can always block any user for any reason.
> i think my problem is that i don't really know who does what in the
> setup you present. rlm_eaptls checks the certificate - if it signed by
> the server's certificate than the user is granted access - independently
> of what?
Independently of the user & password existing in a database.
If you don't list usernames and passwords in a database, then the
server has no way of authenticating users... unless you use
certificates.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
