Sven_Menschner@drewag.de wrote:
we have setup a freeradius server for WLAN authentication. We have deployed a PKI to use EAP-TLS and everything runs fine so far. But I am wondering if the user name provided by the supplicant is used by freeradius at all when using this authentication method. I have tested these scenarios:
Only if you add configuration to check it.
If I provide a wrong user name in the supplicant configuration (it doesn't match the user name in client certificate), authentication still works.
That's how EAP-TLS works. If the certificate is OK, it doesn't really matter what *else* is supplied as part of the user authentication.
So is it checked at all? If so, does that imply that everyone is able get authenticated as soon as he gets the client certificate, even if he doesn't know the users identity?
The client certificate *is* the users identity.
So some explanation about the relation between EAP-TLS and the user store would be great...
EAP-TLS users identify themselves. They don't need a "user store". The certificate is their user store. Alan DeKok.