(RADIATOR) EAPTLS_NoCheckId and AuthBy FILE check
Markus Moeller
huaraz at moeller.plus.com
Mon Feb 25 16:30:32 CST 2008
I have a setup for EAPTLS authentication as follows
<AuthBy FILE>
Identifier EapTLSTest
Filename %D/ADUsers
EAPType TLS
EAPTLS_CAFile /etc/ssl/certs/allcerts.pem
EAPTLS_CAPath /etc/ssl/certs
EAPTLS_CertificateFile %D/servercert.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/serverkey.pem
EAPTLS_PrivateKeyPassword password
EAPTLS_MaxFragmentSize 1000
#EAPTLS_CRLCheck
#EAPTLS_CRLFile %D/certificates/crl.pem
#EAPTLS_CRLFile %D/certificates/revocations.pem
#EAPTLSRewriteCertificateCommonName s/testUsemikem/
EAPTLS_NoCheckId
AutoMPPEKeys
</AuthBy>
#
<Handler Device-Class=WlanTest>
# Mark request as Radius request if not already set by TACACS+
AddToRequestIfNotExist Request-Protocol=EapTLS
AuthByPolicy ContinueUntilReject
AuthBy EapTLSTest
AuthLog LogEapTLSAuthentication
AuthLog SysLogEapTLSAuthentication
AcctLogFileName %L/detail-%d-%v-%Y.log
</Handler>
with ADUser
DEFAULT User-LockedOut=No
When I receive a EAPTLS request I don't see any check against the ADUser entries. But when I disable EAPTLS_NoCheckId(e.g. comment it with #) it seems to check against ADUser. Is this the correct behaviour ?
Why does EAPTLS_NoCheckId the use of ADUser ?
Thank you
Markus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080225/94d0d00b/attachment.html>
More information about the radiator
mailing list