Am 03.08.2012 22:06, schrieb Alan DeKok:
Klaus Klein wrote:
I'm working on securing the access to a WLAN network with WPA2-Enterprise, EAP-TLS and a FreeRADIUS server. Which uses certificates for authentication. Correct.
Everything seemed to work as expected until realized that a client will be authenticated (by eap) even if the user(name), provided with the mandatory "identifier" entry in wpa_supplicant.conf, doesn't exist in the users file. That's how EAP-TLS works. Is it then correct that the 'check_cert_cn' option in eap.conf is the only way to prevent anyone on the client side to tamper with the identity entry, and thereby avoiding restrictions (e.g. Login-Time) for that client?
Or is ther a other/better way to tie any setting to a EAP-TLS authenticated client? Cheers, Klaus