On Feb 22, 2016, at 10:28 AM, Sylvain Munaut <s.munaut@whatever-company.com> wrote:
Well my use case is not that simple :) If you're issued a cert you can prove who you are. But then depending on who you proved you were, you're going to be granted / denied access to whatever you're requesting to access.
That has *nothing to do with EAP-TLS*. You're again confusing two unrelated issues.
Well I used the "pretending to be someone else" because by default everything (group membership / reply attrs / ...) is keyed off "User-Name". And the User-Name gets filled with the CN if not explicitly told to do something else in the client. But without an explicit check it can be anything.
Which is why FreeRADIUS exposes the CN, and allows you to check it.
My understanding ATM is that they can login because they have a Cleartext-Password being set that allows one of the auth method to proceed. Sure, the usual way of setting this IS to use DB/file/... but if you have special config that sets it any other way, it'll work just as well and the presence of the user in DB/files is not actually strictly required.
Yes. The authentication process (PAP, CHAP, MS-CHAP) doesn't care where the Cleartext-Password came from. Because it doesn't matter.
FreeRADIUS doesn't just let anyone connect when you've not permitted them to.
I never said it did.
That's what you implied. Alan DeKok.