EAP-TLS and user name

Sven_Menschner at drewag.de Sven_Menschner at drewag.de
Fri Jul 25 13:25:30 CEST 2014


Hi,

we have setup a freeradius server for WLAN authentication. We have 
deployed a PKI to use EAP-TLS and everything runs fine so far.
But I am wondering if the user name provided by the supplicant is used by 
freeradius at all when using this authentication method.
I have tested these scenarios:

1. no entry in users file                               [files] module 
returns noop                    supplicant is authenticated via EAP
2. added plain user name to users file          [files] module matches 
user and returns OK     supplicant is authenticated via EAP
3. added user name with "Auth-Type := EAP"      [files] module returns 
noop                    supplicant is authenticated via EAP

If I provide a wrong user name in the supplicant configuration (it doesn't 
match the user name in client certificate), authentication still works.
So is it checked at all? If so, does that imply that everyone is able get 
authenticated as soon as he gets the client certificate, even if he 
doesn't know the users identity?

So some explanation about the relation between EAP-TLS and the user store 
would be great...
Many thanks in advance.

Best Regards,
Sven Menschner

-------------------------------------------------------------------------
DREWAG - Stadtwerke Dresden GmbH
Sitz der Gesellschaft: Dresden
Geschäftsführer: Reiner Zieschank (Sprecher), Dr. Reinhard Richter
Vorsitzende des Aufsichtsrates: Helma Orosz, Oberbürgermeisterin
Registergericht: Amtsgericht Dresden HRB 2626
-------------------------------------------------------------------------
DREWAG - das heißt für Sie: sehr guter Service und ein faires
Preis-Leistungs-Verhältnis!
2013 wurde die DREWAG wiederholt vom Wirtschaftsmagazin FOCUS-Money
als einer der fairsten Stromversorger Deutschlands ausgezeichnet.


More information about the Freeradius-Users mailing list