On 05/06/2010 03:17 AM, shirkavand wrote:
Hi,
Can i use freeradius + mysql + ssl certficates at the same time for
autenticating users...or this does not make sense? I am a bit confused
if i have to use one of them(mysql or ssl certificates) for
autentication purposes.
I have read tutorials for using freeradius + mysql OR freeradius + ssl
certificates. In "freeradius + mysql" tutorial explains how to make the
autentication using mysql... so the passwords and users are all stored
inside a mysql db. In the other hand the freeradius + ssl
certificates explains how to make the autentication using a file
called "users" that stores all the users and paswords.
So i am wondering if i can not make the radius server autenticate users
using the credential fino from the mysql Db and using certificates
too..or if each one are different methods to use.
You might be confused as to when certificates are required and for what
purpose. In the more common case the only certificate needed is for the
radius server, user authentication occurs via per-user passwords or
hashes available to the radius server via a secondary store (e.g. SQL
database, flat file, or LDAP). The server certificate only used to
secure the communications channel and there is no need to store a
certificate in a database. However some EAP methods avoid the use of the
less secure password/hash credential (what is normally stored in a
database on a per user basis) and instead require a client certificate.
Client certificates (e.g. a certificate is issued to each user wishing
to authenticate) are more secure than password/hashes. However the
requirement for distributing and maintaining client side certificates is
often considered too much of a logistical burden despite the excellent
security it provides. When client certificates are used it's still not
necessary to store any per user certificates in the backend. Why?
Because in the SSL/TLS protocol when client authentication is requested
the client sends its certificate to the server which then validates the
client certificate (after having also validated a client signed
challenge). The primary requirement here is that CA which signed the
client certificate is a trusted CA known to the radius server.
The short answer is radius configurations backed by a MySQL database do
not require storing per user certificates in the database.
--
John Dennis <jden...@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
