On 11/8/05, Michael Griego <mgriego@utdallas.edu> wrote:
Ben Walding wrote:
> We've found in testing that the XP supplicant (with certain patches)
> will read the certificate and send a User-Name that is constructed
> from the certificate CN (host/ + cert CN); thus rendering the whole
> "checking the CN process" fairly pointless for XP supplicants.
This is only true when a certificate is used for machine authentication,
not for user authentication.
To get around the the problem stated above, all you have to do is create
two instances of the EAP module. In cases where the User-Name attribute
begins with "host/", just send those authentications to the second EAP
module, and have the check_cert_cn parameter set to check for
"host/%{User-Name}". This way you can still be assured of proper
authorization.