Question about windowsXP(Odessey Client) + EAP-TLS with freeRADIUS
s3b0 at gmx.de
s3b0 at gmx.de
Thu Dec 13 12:35:07 CET 2007
> Hangjun He wrote:
> > And I use EAP-TLS and with correct certs. Even if I set wrong
> > username in Odessey Client, freeRADIUS will return
> > success.(check_cert_cn not set).
>
> EAP-TLS authenticates users based on certificates. It ignores the
> user name.
i think, thats not completely correct. when you use eap-tls, the username in the radius-packet is the common name of your certificate. so you can check in the users file against the common name, and reject specific common names...
if you set check_cert_cn to "yes", then the server will compare the common name of the certicate with the user-name in the radius packet (as i said, this is normally also the common name).
>
> > Can I let freeRADIUS to check if username in the users file or other
> > database? If not, reject user.
>
> Yes. Configure that:
>
> bob Auth-Type := Reject
>
> Alan DeKok.
>
Sebastian
--
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
More information about the Freeradius-Users
mailing list