Dear Alan, On 04-04-16 12:05, A.L.M.Buxey@lboro.ac.uk wrote:
yes check_cert_cn , TLS-Client-Cert-CN , theres also the dynamic OSCP check you can do - but the best thing to do it use a privtae CA for a EAP-TLS system. as for the username - thats the 'outerid' as such - allowing proxying of the to-be-commenced authentication - protecting the real user id from the local RADIUS ssytem, allowing proxying etc without the EAP engine of the local server to be invoked. user@othersite.com - proxied off (as the client wont be able to talk to YOUR RADIUS server - think 'eduroam' :-) )
Thanks a lot. Also after reading http://serverfault.com/questions/410495/how-many-user-supplicant-certificate... I better understand what check_cert_cn = %{User-Name} does; please correct me if I'm wrong. It is in no way a check of Issuer of the certificate with the root CA. It is only a check if the username that was entered is the same as the CN of the client cert. So I guess it's nice to have learned this for now, but this doesn't help me in authentication for only (lets say) the client certs bob@example.com and alice@example.com. Now I better understand your hint of proxying. Thanks for helping a FreeRadius newbe! Wouter