Ok, that's what I was looking for! putting DEFAULT in the file yields the desired behavior.
Thanks! Joy On 12/8/11 5:47 PM, "Heikki Vatiainen" <h...@open.com.au> wrote: >On 12/09/2011 12:31 AM, Joy Veronneau wrote: >> Hmm, but EAPTLS_NoCheckId also doesn't check that the cert name matches >> the computer name. Seems like I would want the cert name checked? >> Is there a way I can still check the cert name? > >In this case you could try not enabling EAPTLS_NoCheckId and use >Filename %D/tls_anon with this single line: >DEFAULT > >Since NoDefault is not on, the DEFAULT entry will match and user lookup >should be successful. > >Another option is to have EAPTLS_NoCheckId enabled and do name matching >with EAPTLS_CertificateVerifyHook > >Thanks! >Heikki > > >> Sorry to have so many questionsÅ >> >> Thanks, >> Joy >> >> On 12/8/11 5:26 PM, "Heikki Vatiainen" <h...@open.com.au> wrote: >> >>> On 12/09/2011 12:15 AM, Joy Veronneau wrote: >>> >>>> But if I do that, I will still have to have the names of the machines >>>>in >>>> the tls_anon file, wouldn't I? >>> >>> Good point, I overlooked that part. Please see ref.pdf section "5.20.46 >>> EAPTLS_NoCheckId". You can turn off the name check. >>> >>> Thanks! >>> Heikki >>> >>>> Thanks, >>>> >>>> Joy >>>> >>>> On 12/8/11 5:07 PM, "Heikki Vatiainen" <h...@open.com.au> wrote: >>>> >>>>> On 12/07/2011 11:42 PM, Joy Veronneau wrote: >>>>> >>>>> Hello Joy, >>>>> >>>>>> I am still working on my machine based authentication config. >>>>>> >>>>>> Config1 (below) works fine but requires that the names of the >>>>>>machines >>>>>> be >>>>>> listed in the file tls_anon. >>>>> >>>>> Try with something like this: >>>>> <Handler ...> >>>>> AuthByPolicy ContinueWhileAccept >>>>> AuthBy file-tls >>>>> AuthBy external-adcert >>>>> </Handler> >>>>> >>>>> With the above EAP-TLS will run first and when it is done and returns >>>>> ACCEPT, the AuthBy EXTERNAL extra check will run determining the >>>>> outcome >>>>> of the whole authentication process. >>>>> >>>>> Please let us know of your results >> > > >-- >Heikki Vatiainen <h...@open.com.au> > >Radiator: the most portable, flexible and configurable RADIUS server >anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, >NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator