On 12/09/2011 12:31 AM, Joy Veronneau wrote: > Hmm, but EAPTLS_NoCheckId also doesn't check that the cert name matches > the computer name. Seems like I would want the cert name checked? > Is there a way I can still check the cert name?
In this case you could try not enabling EAPTLS_NoCheckId and use Filename %D/tls_anon with this single line: DEFAULT Since NoDefault is not on, the DEFAULT entry will match and user lookup should be successful. Another option is to have EAPTLS_NoCheckId enabled and do name matching with EAPTLS_CertificateVerifyHook Thanks! Heikki > Sorry to have so many questionsÅ > > Thanks, > Joy > > On 12/8/11 5:26 PM, "Heikki Vatiainen" <h...@open.com.au> wrote: > >> On 12/09/2011 12:15 AM, Joy Veronneau wrote: >> >>> But if I do that, I will still have to have the names of the machines in >>> the tls_anon file, wouldn't I? >> >> Good point, I overlooked that part. Please see ref.pdf section "5.20.46 >> EAPTLS_NoCheckId". You can turn off the name check. >> >> Thanks! >> Heikki >> >>> Thanks, >>> >>> Joy >>> >>> On 12/8/11 5:07 PM, "Heikki Vatiainen" <h...@open.com.au> wrote: >>> >>>> On 12/07/2011 11:42 PM, Joy Veronneau wrote: >>>> >>>> Hello Joy, >>>> >>>>> I am still working on my machine based authentication config. >>>>> >>>>> Config1 (below) works fine but requires that the names of the machines >>>>> be >>>>> listed in the file tls_anon. >>>> >>>> Try with something like this: >>>> <Handler ...> >>>> AuthByPolicy ContinueWhileAccept >>>> AuthBy file-tls >>>> AuthBy external-adcert >>>> </Handler> >>>> >>>> With the above EAP-TLS will run first and when it is done and returns >>>> ACCEPT, the AuthBy EXTERNAL extra check will run determining the >>>> outcome >>>> of the whole authentication process. >>>> >>>> Please let us know of your results > -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
