rlm_eap_tls: authenticate instead of authorize?

Graham Leggett minfrin at sharp.fm
Tue Jan 10 19:36:20 CET 2012


On 10 Jan 2012, at 2:27 PM, Alan DeKok wrote:

>> Would there be any ill effects if the rlm_eap_tls certificate parsing was moved from the authenticate section to the  authorize section?
> 
>  Likely not.  But the difficulty is doing that *only* for the EAP-TLS
> code.  The EAP modules currently do all of their work in the
> "authenticate" section, for good reason.  Nearly everything in EAP is
> based on authentication.  So doing the work in another section would be
> hard.

Hmmm...

I think I have worked around my problem for now with the check_client_san patch, as with it I can enforce that User-Name matches the subjectAltName, and then use the User-Name as the key for authorization.

Regards,
Graham
--

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4365 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120110/402b4a04/attachment.bin>


More information about the Freeradius-Users mailing list