from:"Lev A. Serebryakov"

Wireless network: WindowsXP supplicant, EAP-TLS and computer certificates.

2006-05-12 Thread Lev A. Serebryakov



  I try to use FreeRADIUS for building 801.1X EAP-TLS authorization. I 
want to use only computer certificates (not user ones) on WinXP. such 
certificates contains FQDN of client in `commonName' field.


  But WinXP/SP2 sent `User-Name' in such case as `host/FQDN'. And 
checking of commonName fails.


  How can re-map such `User-Names'? I've tried to create realm with 
LOCAL mapping, but it doesn't help much :(


  It seems, that eap-tls `xlat' user-name before check, but xlat is not 
well-documented :(


--
// Lev Serebryakov

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Check the subject and issuer in the EAP-TLS

2006-05-12 Thread Lev A. Serebryakov


Michal Prochazka wrote:


I'm open for every remark and enhancement of this patch.
  IMHO, it is very breakable script: it compare only strings (issuer 
name, subject, etc), which can be forged easily. IMHO, we need to check 
sha1/md5 signatures of CA certificates, not strings.


--
// Lev Serebryakov
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Check the subject and issuer in the EAP-TLS

2006-05-12 Thread Lev A. Serebryakov


Michal Prochazka wrote:


I'm open for every remark and enhancement of this patch.
  BTW, here is `CA_file' parameter in `tls' module, so CA certificate 
know to us. And we can check this CA without any external script


--
// Lev Serebryakov
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Check the subject and issuer in the EAP-TLS

2006-05-12 Thread Lev A. Serebryakov


Michal Prochazka wrote:

I don't agree with you. Freeradius checks that the certificate is issued 
by one of the CA defined in config of EAP-TLS. And then this script 
compare the subject, you cannot forged it. And of course this patch can 
be easily enhanced to export sha1/md5 signatures.

  Oh, I've missed your point, sorry.
   This patch is against using some (for example, e-mail signing) 
certificate (issued by proper CA!) as wireless client's one, am I right 
on second try? :)


--
// Lev Serebryakov
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Wireless network: WindowsXP supplicant, EAP-TLS and computer certificates.

Re: Check the subject and issuer in the EAP-TLS

Re: Check the subject and issuer in the EAP-TLS

Re: Check the subject and issuer in the EAP-TLS

4 matches

Site Navigation

Mail list logo

Footer information