Help on TLS+Active Directory

Alan DeKok aland at deployingradius.com
Wed Dec 2 08:05:14 CET 2009


gera wrote:
> BUT, we noted an interesting behaviour. If the client specify Windows to use 
> another username to login, although freeradius complaints that the user 
> doesn't exist on ldap, it seems it still accepts this user, as long as the 
> certificate is fine.

  That's how EAP-TLS works.

> So, in this case, if the user isn't allowed to login 
> because of simultaneous use, he still can change the username which he uses 
> specifying another one (whichever, even if it doesn't exist) and voilá! He can 
> now log in.
> 
> I'm sure I'm missing something, but I'm not sure what.

  You need to update the CRL to revoke the certificate.  The user then
can't use it for authentication.

  Alan DeKok.



More information about the Freeradius-Users mailing list