Fernando escribió:
Sergio Yébenes Moreno wrote:
Fernando escribió:
let me see... at this time... can all client with a valid
certificate gain access to the network?
Sergio Yébenes Moreno wrote:
Fernando escribió:
I don't understand, what is your goal?
Sergio Yébenes Moreno wrote:
Using eap-tls we can make a "filter" to users, based on different
attibutes (I think). In my case, the "identity" field in
wpa_supplicant.conf.
Freeradius config:
file users contains this
.....
.....
$INCLUDE autorizados
DEFAULT Auth-Type := Reject
Reply-Message = "out"
......
......
file autorizados contains this
"user1" Cleartext-Password := ""
Reply-Message = "Autorizando....."
Fall-Through = No
"user2" ............
...........
I had to make this because I'm not the signer of client
certificates, only for server. I hope that somebody will help this.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system
http://www.nod32.com
To use eap-tls with client certs signed by a public CA. Public CA
means that I can't do anything with this. But I don't want that
everybody comes to my network. I know that my english isn't very
clear, but I think it's very simple. Clients are in a public PKI.
Servers are in my own PKI. Clients trust in my PKI, servers trust
in this public PKI. But servers only authorize some users.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system
http://www.nod32.com
No. Only if they are in "autorizados" file. I've checked it with
wpa_supplicant, changing the "identity" field, but with the same
certificate. The certificate are signed by a public CA. Its the DNIe
in Spain. Probably you know it. Because of this, I should have a
"filter" to users. This is my proyect at university. To use DNIe in
my home network aren't in my objectives.
-
anyone that has a DNIe can access to your home network. I mean that
you must have two phases first user authentication with DNIe and
other a process of authorization. You do the authorization process
with the file "autorizados". So, what is the problem?
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system
http://www.nod32.com
first, freeradius looks in users file, and only if client is authorized,
checks DNIe. There aren't any problem, only want to show, maybe help
somebody, and to show Ivan Kalik how clients and servers can trust in
different ca's.
Thanks for reading me
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html