[RADIATOR] question about machine based authentication

Heikki Vatiainen hvn at open.com.au
Thu Dec 8 16:47:43 CST 2011

On 12/09/2011 12:31 AM, Joy Veronneau wrote:
> Hmm, but EAPTLS_NoCheckId also doesn't check that the cert name matches
> the computer name. Seems like I would want the cert name checked?
> Is there a way I can still check the cert name?

In this case you could try not enabling EAPTLS_NoCheckId and use
Filename %D/tls_anon with this single line:

Since NoDefault is not on, the DEFAULT entry will match and user lookup
should be successful.

Another option is to have EAPTLS_NoCheckId enabled and do name matching
with EAPTLS_CertificateVerifyHook


> Sorry to have so many questionsŠ
> Thanks,
> Joy
> On 12/8/11 5:26 PM, "Heikki Vatiainen" <hvn at open.com.au> wrote:
>> On 12/09/2011 12:15 AM, Joy Veronneau wrote:
>>> But if I do that, I will still have to have the names of the machines in
>>> the tls_anon file, wouldn't I?
>> Good point, I overlooked that part. Please see ref.pdf section "5.20.46
>> EAPTLS_NoCheckId". You can turn off the name check.
>> Thanks!
>> Heikki
>>> Thanks,
>>> Joy
>>> On 12/8/11 5:07 PM, "Heikki Vatiainen" <hvn at open.com.au> wrote:
>>>> On 12/07/2011 11:42 PM, Joy Veronneau wrote:
>>>> Hello Joy,
>>>>> I am still working on my machine based authentication config.
>>>>> Config1 (below) works fine but requires that the names of the machines
>>>>> be
>>>>> listed in the file tls_anon.
>>>> Try with something like this:
>>>> <Handler ...>
>>>>   AuthByPolicy ContinueWhileAccept
>>>>   AuthBy file-tls
>>>>   AuthBy external-adcert
>>>> </Handler>
>>>> With the above EAP-TLS will run first and when it is done and returns
>>>> ACCEPT, the AuthBy EXTERNAL extra check will run determining the
>>>> outcome
>>>> of the whole authentication process.
>>>> Please let us know of your results

Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list