Fernando escribió:
Sergio wrote:
Fernando escribió:
Sergio Yébenes Moreno wrote:
Ivan Kalik escribió:
Ok. DNIe gives PUBLIC access control, to a public network
(university, madrid Wifi (jeje, gallardón va de rey alcalde)
etc), Dinamic keys, and all in 802.1x and, in consequence,
802.11i. But probably we don't want everybody in this
network.Surely we hadn't spend money and time issuing
certificates to clients. Because of this, we have "autorizados"
file. Then, we only should issue certificates to radius. Clients
trust in my CA, and radius trust in "ministerio del interior"
jejeje, that sings certificates for everybody in Spain.
I can see where you are heading with this. You want to use
usernames/passwords *and* check client certificates. Freeradius
doesn't
support this. That is called PEAP-EAP-TLS and is supported in
Microsoft-only networks.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system
http://www.nod32.com
I don't want to use passwords. Only want to use what at this time
is working: public domain eap-tls, but only students of an
university, for example. Probably there are better methods to do
this, but this works. I promise..... "identity" field in
wpa_supplicant and cert's "commonName" in winXP clients.
Now I want to put 3 virtual server, one for DNIe and one for
another public CA (FNMT) that have less range than DNIe. I'd like
to ask you, if you know. "authorize" section supports unlang and we
can use User-Name, for example, to authenticate in any virtual
server. I suspect that I can't do this based on signer of client
certificate. The point is that common name in certificates signed
by FNMT comes with a prefix well-known, and DNIe CommonName comes
with a suffix well-known. I don't know how to begin.....hints file,
sites-enabled, regular expressions....Freeradius virtual servers
documentation shows virtual server based on IP, access points,
server pools, but nothing about user credentials.....
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
mmmm.... Do you want authenticate people at different servers?. Use
a proxy.
CLIENT ------------------> PROXY RADIUS
------------------> DNIe AUTH
------------------> MY CA AUTH
ok?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3257 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system
http://www.nod32.com
mmmmm I see that I can authenticate users to different servers, based
on the domain of user-name, using radius as a proxy. But I have
"(AUTENTICACIÓN)" suffix for some users and "NOMBRE" prefix for the
others. I think this will make me spent some time.....
Thanks Fernando
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
mmmm i don't understand... put a example :). what do you mean with
"AUTENTICACION" and "NOMBRE"?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__________ Información de NOD32, revisión 3260 (20080710) __________
Este mensaje ha sido analizado con NOD32 antivirus system
http://www.nod32.com
"AUTENTICACIÓN" is a suffix of user-name, but only for those
certificates that are subordinated to FNMT ca. "NOMBRE" is a prefix of
user-name which have DNIe, subordinated to another ca. I want to
configure two virtual servers based on this details, if I can.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html