Hi Klaus,

> For peap you don't use a certificate on the client (better:
> supplicant) side, so it is not checked. What you seem to have revoked
> is the certficate the server presents to the supplicant, which has no
> part in deciding to authorize/authenticate the user.

It is as surely your telling.
I did not understand PEAP's specification, but I know it.

Thank you for your answering!

Best Regards,
Kouji Amemiya


On Fri, 16 Dec 2005 12:39:42 +0100
wbh <[EMAIL PROTECTED]> wrote:

> On 12/16/05, Kouji Amemiya <[EMAIL PROTECTED]> wrote:
> > I was using the certificate published by OpenSSL, I revoked this 
> > certificate.
> > (Herewith, this certificate's information was written on CRL.)
> >
> > And I attempted PEAP authentication by this revoked certificate,
> > but authentication result was "Access-Accept".
> 
> For peap you don't use a certificate on the client (better:
> supplicant) side, so it is not checked. What you seem to have revoked
> is the certficate the server presents to the supplicant, which has no
> part in deciding to authorize/authenticate the user.
> 
> Why the supplicant doesn't refuse the supposedly revoked server
> certificate would be interesting (you could look into your setup, if
> the supplicant did check for the latest CRL of the certicate's
> issuer), but is unresponsive to your original question.
> 
> Regards,
> Klaus Hvrcher
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to