eap/tls access-accept without existing user?

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

eap/tls access-accept without existing user?

Markus Krause
hi all!

first what i am using:
- freeradius 1.0.4 (on debian sarge, package built with -disable-shared)
- mac os x 10.3.9
- self-signed certificates built in a similar way than the ones in the
package/tarball (just adapted the CA.certs script)

my users file contains in addition to the unchanged standard the following
lines:

---8< users 8<---
testuser1 User-Password == "testing"
testuser2 Auth-Type := Local, User-Password == "testing"
--->8 users >8---

the only changes i made in the configuration file radiusd.conf is to comment out
"suffix", in eap.conf i uncommented the section with tls and ttls

when trying to establish a connection from the mac powerbook using 802.1x and
client certificate i get a working connection if i enter anything but
"testuser2", even a wrong password or no pasword or username at all works! with
 "testuser2" i get an error and no connection.

where am i missing the point?

thanks in advance for any hint!!

  markus


--
Markus Krause                           email: [hidden email]
Computing Center                        Tel.: 089 - 89 40 85 99
Group Lottspeich / Proteomics           Fax.: 089 - 89 40 85 98

---------------------------------------------------------------------
     This message was sent using https://webmail.biochem.mpg.de
If you encounter any problems please report to [hidden email]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: eap/tls access-accept without existing user?

Alan DeKok
Markus Krause <[hidden email]> wrote:
> when trying to establish a connection from the mac powerbook using 802.1x and
> client certificate i get a working connection if i enter anything but
> "testuser2", even a wrong password or no pasword or username at all works! with
>  "testuser2" i get an error and no connection.
>
> where am i missing the point?

  EAP-TLS uses client certificates.  If they have a valid client
certificate, they're in.  The username doesn't matter.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html