Sergio Yébenes Moreno wrote:
Ivan Kalik escribió:
Ok. DNIe gives PUBLIC access control, to a public network
(university, madrid Wifi (jeje, gallardón va de rey alcalde) etc),
Dinamic keys, and all in 802.1x and, in consequence, 802.11i. But
probably we don't want everybody in this network.Surely we hadn't
spend money and time issuing certificates to clients. Because of
this, we have "autorizados" file. Then, we only should issue
certificates to radius. Clients trust in my CA, and radius trust in
"ministerio del interior" jejeje, that sings certificates for
everybody in Spain.
I can see where you are heading with this. You want to use
usernames/passwords *and* check client certificates. Freeradius doesn't
support this. That is called PEAP-EAP-TLS and is supported in
Microsoft-only networks.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system
http://www.nod32.com
I don't want to use passwords. Only want to use what at this time is
working: public domain eap-tls, but only students of an university,
for example. Probably there are better methods to do this, but this
works. I promise..... "identity" field in wpa_supplicant and cert's
"commonName" in winXP clients.
Now I want to put 3 virtual server, one for DNIe and one for another
public CA (FNMT) that have less range than DNIe. I'd like to ask you,
if you know. "authorize" section supports unlang and we can use
User-Name, for example, to authenticate in any virtual server. I
suspect that I can't do this based on signer of client certificate.
The point is that common name in certificates signed by FNMT comes
with a prefix well-known, and DNIe CommonName comes with a suffix
well-known. I don't know how to begin.....hints file, sites-enabled,
regular expressions....Freeradius virtual servers documentation shows
virtual server based on IP, access points, server pools, but nothing
about user credentials.....
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
mmmm.... Do you want authenticate people at different servers?. Use a
proxy.
CLIENT ------------------> PROXY RADIUS
------------------> DNIe AUTH
------------------> MY CA AUTH
ok?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html