user(name) and EAP-TLS

Klaus Klein k.klein at gmx.de
Mon Aug 6 00:56:01 CEST 2012


Am 05.08.2012 10:28, schrieb Arran Cudbard-Bell:
> Don't use this configuration with wired 802.1X. As the user's identity is not protected within the tunnel, someone sitting between your machine and the switch could easily switch out identities at the start of 802.1X auth, and use it of a way of performing privilege escalation.
Not to forget that the administration of the client might not be under control of the FreeRADIUS administration.
One wouldn't need a 'man in the middel' if the owner/user/admin of the client machine can edit the configuration to her/his likings.

> Hm, you should probably verify that the certificate is associated with the username provided.
Yupp, check_cert_cn in eap.conf is (at least for me) the way to go.
That's what Alan also acknowledged a few emails ago.

> SQL/LDAP xlat would probably do the job.
I'm not there yet.
But I'll have a look at this when I start playing with SQL and LDAP.

Cheers,
Klaus


More information about the Freeradius-Users mailing list