Can I re-enable certs as well (with CRLs)? Where is a database of all certs which are still valid (when using CRLs) ?
Does freeradius in eap-tps/eap-peap mode only check the client certs for proper signature? Sorry for the silly questions. I spent a whole day googeling around and reading howtos and docs. There's not too much documentation about all this. --Manuel > That's what CRLs are for. There is support for CRLs in FreeRADIUS now, > so you can revoke the certs you no longer want used. > > --Mike > > ----------------------------------- > Michael Griego > Wireless LAN Project Manager > The University of Texas at Dallas > > > > Manuel Schmitz wrote: > > Thank you very much. :-) > > I simply need a way to "turn off" certificates. Is there a possibility > to > > reject single certificates? > > I would like to provide a file containing a list of certs to deny. Is > that > > possible? > > --Manuel > > > > > > > >>No, the only thing that check_cert_cn does is make sure that the CN in > >>the certificate matches the User-Name attribute in the RADIUS request. > >>It's basically just a sanity/security check on the request itself. It > >>does *not* go looking on other autz sources for you. It is up to you to > >>decide elsewhere (users file, SQL DB, LDAP) whether or not to allow that > >>user to authenticate. If you do nothing, the user will be allowed to > >>authenticate by default. If, for some reason, you decide you don't want > >>a user to be allowed to authenticate, you must specifically reject him. > >> > >>--Mike > >> > >>----------------------------------- > >>Michael Griego > >>Wireless LAN Project Manager > >>The University of Texas at Dallas > >> > >> > >> > >>Manuel Schmitz wrote: > >> > >>>Hello, > >>> > >>>as far as I have understood, the "check_cert_cn" switch in > >> > >>raddb/eap.conf > >> > >>>forces the certificate's Common Name to be in the raddb/users file. > >>>Otherwise there the request will be rejected. > >>> > >>>Now I've commented out the whole raddb/users file but the radius > doesn't > >>>reject any request. > >>> > >>>I am running a WLAN with EAP-TLS authentication and need to "switch > off" > >>>single certificates. > >>> > >>>--Manuel Schmitz > >>> > >> > >>- > >>List info/subscribe/unsubscribe? See > >>http://www.freeradius.org/list/users.html > >> > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- DSL Komplett von GMX +++ Supergünstig und stressfrei einsteigen! AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
