Question about windowsXP(Odessey Client) + EAP-TLS with freeRADIUS

s3b0 at s3b0 at
Thu Dec 13 12:35:07 CET 2007

> Hangjun He wrote:
> >    And I use EAP-TLS and with correct certs.  Even if  I set wrong
> > username in Odessey Client, freeRADIUS will return
> > success.(check_cert_cn not set).
>   EAP-TLS authenticates users based on certificates.  It ignores the
> user name.

i think, thats not completely correct. when you use eap-tls, the username in the radius-packet is the common name of your certificate. so you can check in the users file against the common name, and reject specific common names...

if you set check_cert_cn to "yes", then the server will compare the common name of the certicate with the user-name in the radius packet (as i said, this is normally also the common name). 

> >     Can I let freeRADIUS to check if username in the users file or other
> > database?  If not, reject user.
>   Yes.  Configure that:
> bob	Auth-Type := Reject
>   Alan DeKok.

Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! 
Ideal für Modem und ISDN:

More information about the Freeradius-Users mailing list