Re: Check for Certificate AND Username Alan DeKok wrote:
Alan DeKok wrote: Then use EAP-TTLS instead of EAP-TLS. You can then proxy the internal username/password information. With EAP-TLS, there is no username or password, so you can't proxy anything. Thank you Alan. For some reason I thought, that with TTLS you are not able to use certificates on the client (only on the server). I was wrong. I'm using TTLS now. Thanks again. Wolfgang Burger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check for Certificate AND Username
Hi, I am using freeradius to secure my WLAN. Everything works fine so far. But i`m not much of an expert. What I have now is a working setup using EAP/TLS and self-created certificates. But how can i achieve the following: - Client sends certificate and Username/Password (done) - freeradius checks for valid certificate (done) - freeradius ADDITIONALLY checks Username/Password with another Radius-Server. I guess I have to use the proxy settings. But how do i make freeradius check BOTH conditions? Any help would be appreciated Regards, Wolfgang Burger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check for Certificate AND Username
Wolfgang Burger wrote: But how can i achieve the following: - Client sends certificate and Username/Password (done) - freeradius checks for valid certificate (done) - freeradius ADDITIONALLY checks Username/Password with another Radius-Server. That can't really be done with the server today. But why do you want to do that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check for Certificate AND Username
Wolfgang Burger wrote: Well, there is another Radius-Server (DRAS, running under VMS, controlled by someone else) where all the users are listet. I just thougt it would be very nice to check for a username/password, to make sure that noone gives away his certificate in any way. Then use EAP-TTLS instead of EAP-TLS. You can then proxy the internal username/password information. With EAP-TLS, there is no username or password, so you can't proxy anything. And, and this is more important, it is possible that someone is blocked on the other server but still has a valid certificate. By proxing the request, that user would be blocked. Any other idea how to do this? Revoke the client certificate. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check for Certificate AND Username
Wolfgang Burger wrote: But how can i achieve the following: - Client sends certificate and Username/Password (done) - freeradius checks for valid certificate (done) - freeradius ADDITIONALLY checks Username/Password with another Radius-Server. Alan DeKok wrote: That can't really be done with the server today. But why do you want to do that? That is most likely the answer that i have expected the least. But, of course, thank you for your reply. Well, there is another Radius-Server (DRAS, running under VMS, controlled by someone else) where all the users are listet. I just thougt it would be very nice to check for a username/password, to make sure that noone gives away his certificate in any way. And, and this is more important, it is possible that someone is blocked on the other server but still has a valid certificate. By proxing the request, that user would be blocked. Any other idea how to do this? Wolfgang Burger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html