David Wood escribió:
Hi Sergio,
In message <[EMAIL PROTECTED]>, Sergio Yébenes Moreno
<[EMAIL PROTECTED]> writes
I'm configuring freeradius server with opensc client-side. I'd like
to say if freeradius has support for PKCS#11.
In wpa_supplicant log I see how client writes TLS-ChangeCipherSpec and
TLS-Finished. This means that the server has authenticated but
freeradius show TLS error because client do not send
certificate. I think it's because PKCS#11. I'm not sure, but I really
need to know. I'm using
freeradius-server-2.0.4
The server doesn't care where the certificates and private key are
stored on the client side; the use of PKCS#11 and a smartcard or token
is irrelevant and the server needs no special support for PKCS#11.
The only way the use of the smartcard or token could change things is
if your supplicant needs the entire certificate chain on the smartcard
or token, and you've only loaded the certificate itself.
The only reason the server would need PKCS#11 support is if the
server's certificate were on a smartcard or token. It's an intriguing
idea, but I have my doubts that a smartcard or token would keep up
with the demands placed on it.
As Nicolas said, the debug log on the server side almost certainly
contains the answer to this - that's where you should be looking.
Run radiusd -X and attempt to authenticate using wpa_supplicant and
your token or smartcard. What does the server's debug output say? If
you can see the server rejecting the authentication attempt, look back
for the reason. If the server accepts the authentication attempt, the
problem is elsewhere.
Best wishes,
David
Hi David
"The server doesn't care where the certificates and private key are
stored on the client side; the use of PKCS#11 and a smartcard or token
is irrelevant and the server needs no special support for PKCS#11."
That rules. It's true. I've seen in wpa_supplicant log that can't access
to the private key (fuckin' key_id), but even so, client makes
client_certificate, client_key_exchange, ....and tcpdump shows
RADIUS-Access-Request....I'll ask for this at opensc-project but looks
like you know about you're speaking. Do you know if freeradius can make
ocsp request?
In
/freeradius-server-2.0.5/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
they mention ocsp protocol but in eap.conf there are nothing about this!!
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html