Hi Klaus, > For peap you don't use a certificate on the client (better: > supplicant) side, so it is not checked. What you seem to have revoked > is the certficate the server presents to the supplicant, which has no > part in deciding to authorize/authenticate the user.
It is as surely your telling. I did not understand PEAP's specification, but I know it. Thank you for your answering! Best Regards, Kouji Amemiya On Fri, 16 Dec 2005 12:39:42 +0100 wbh <[EMAIL PROTECTED]> wrote: > On 12/16/05, Kouji Amemiya <[EMAIL PROTECTED]> wrote: > > I was using the certificate published by OpenSSL, I revoked this > > certificate. > > (Herewith, this certificate's information was written on CRL.) > > > > And I attempted PEAP authentication by this revoked certificate, > > but authentication result was "Access-Accept". > > For peap you don't use a certificate on the client (better: > supplicant) side, so it is not checked. What you seem to have revoked > is the certficate the server presents to the supplicant, which has no > part in deciding to authorize/authenticate the user. > > Why the supplicant doesn't refuse the supposedly revoked server > certificate would be interesting (you could look into your setup, if > the supplicant did check for the latest CRL of the certicate's > issuer), but is unresponsive to your original question. > > Regards, > Klaus Hvrcher > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html