On Sat, Apr 12, 2008 at 05:41:44PM +0200, Alan DeKok wrote:
Yes, I would use the User-Name for VLAN assignment. I would also use check_cert_cn to be sure that they didn't lie about the User-Name.
There should not really be any requirement for User-Name (EAP-Response/Identity) to match with CN in case of EAP-TLS.. The EAP-Response/Identity is mainly for routing and it is sent in clear, so requiring it to match with CN would prevent identity privacy.
Which is why it's there. Honestly, I don't see why you're so shocked about it. You seem to be saying that check_cert_cn is a bad idea, because you have to *use* it to prevent people from lying.
But check_cert_cn is indeed a bad idea in many cases.. RFC 2716bis draft is changing the identity verification to "SHOULD NOT" require identities (EAP-Identity and CN) to be identical.. Identity from EAP-Response/Identity is mainly for routing purposes and things like VLAN selection should really use information from the client certificate (in case of EAP-TLS) instead. If someone is willing to write a submission for this, it would be very useful to be able to use information from various certificate attributes to decide what to do with the request after the EAP-TLS authentication has been completed. This would make it possible to disable check_cert_cn and would even allow use of groups (i.e., not just list of every possible identity string) for VLAN assignment. -- Jouni Malinen PGP id EFC895FA