-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there,
we use Freeradius (1.1.0 from sles10) to provide 802.1x on all wired switches in the company. As backend we have Novell eDir where all users are stored. We also use per user vlans, which are stored in the eDir. This setup is working so far. Now we want to secure the authentification by ssl certificates (to protect the client from "foreign" server getting their credentials, and the "eDir" from "foreign" clients - to avoid brute force attacks). Our idea was: Using a "general" certificate to identify every supplicant/client and use this cert to protect the tunnel where user/pass is provided. We have configured a guest-vlan (2) on the cisco switch where all unauthentificated or "unknown" supplicants/clients get into. The next vlan (4) is for supplicants/clients which have the right cert installed, and last but not least the users own vlan (300). - From vlan 2 you're not allowed to do "anything" beside stageing the client (for new installations). At vlan 4 you may connect to a few servers (to get your box ready for production when no user is setup) and 300 is a fully working vlan. For now this works "a bit". It seems that you cannot use "just" a cert to get into the vlan 4 (you need user + user defined in users file, at least for the cisco client, who *needs* a user when using a cert..). Beside that, i noticed that when using a wrong ssl cert and user+pw (to get vlan300) freeradius *first* checks the edirectory, and THEN the eap/ttls stuff - shouldn't this be exactly the other way around? Our config looks like: radius.conf: modules { eap { default_eap_type = ttls ignore_unknown_eap_types = no tls { private_key_file = key certificate_file = cert CA_file = ca.crt } ttls { private_key_file = key certificate_file = cert CA_file = ca.cert default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes } } ldap { server = "edir.company.lan" port = 636 identify = "cn=freeradius,o=admin" password = xxx basedn = "o=company" tls_mode = yes ... edir_account_policy_check = yes } files { # defaultstuff } } authorize { preprocess eap ldap } authenticate { eap Auth-Type LDAP { ldap } } post-auth { ldap Post-Auth-Type REJECT { ldap } } users: DEFAULT Auth-Type = LDAP Tunnel-Type := "VLAN", Tunnel-Medium-Type := "IEEE-802", Fall-Through = Yes DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes, DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP So why doesn't it check the tunnel (ssl) first and stops if the client has no valid cert? I think i just overlooked something... but i'm a bit puzzled now... Regards and thanks, Sven Michels -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH6X6yQoCguWUBzBwRArY8AJ4/BiDsM4rnxoHfmYUkMNLKjOhGbgCcCtnM dzeTmRQRC7qB8QlhiVlOG6w= =vAqe -----END PGP SIGNATURE----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html