Hello, some admins who deploy EAP-TLS brought an interesting note to my attention (can't actually verify it, as I don't have their sophisticated setup)... The story goes like that - EAP-TLS does not have inner EAP, so there is no inner virtual server for it - if you want to authorization checks for the user, it has to happen on outer server (say, ask LDAP for some user attributes) - the default ldap filter expression uses (Stripped) User-Name - User-Name in EAP-TLS can be set arbitrarily by the end user as outer identity -> FreeRADIUS by default performs authorisation checks with an unvetted, user-supplied string So, if John Doe has a valid certificate, but is not authorized for network access, but he knows that Jane Donk *is* authorized, he could set anon ID = Jane Donk, and use his own certificate. authorize passes with Jane's User-Name, and authentication passes with John's proper certificate. That's all no tragedy; after all, it's just the *default* behaviour of the LDAP module, and can be changed. People may want to "channel bind" the two values on their own by enforcing User-Name == TLS-Client-Cert-Common-Name or so. I'm just wondering if we could by default ship a config which would prefer cert content, such as Common Name, over unvetted information so as to have a more sane default. I'm guessing that changing the ldap module's "filter" config item should do, from filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" to filter = "(uid=%{%{TLS-Client-Cert-Common-Name}:-%{%{Stripped-User-Name}:-%{User-Name}}))" (uh, I'm sure I got those curly braces wrong... bear with me...) That expression would do the same as before in all cases except when EAP types with Client TLS certificates are used, and would only then use the CN. Is there any sense in what I write? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473