Yes. It sounds good. Check common name in the certificate with databases(users or others). John s3b0@gmx.de 写道:
Hangjun He wrote:
And I use EAP-TLS and with correct certs. Even if I set wrong username in Odessey Client, freeRADIUS will return success.(check_cert_cn not set).
EAP-TLS authenticates users based on certificates. It ignores the user name.
i think, thats not completely correct. when you use eap-tls, the username in the radius-packet is the common name of your certificate. so you can check in the users file against the common name, and reject specific common names... if you set check_cert_cn to "yes", then the server will compare the common name of the certicate with the user-name in the radius packet (as i said, this is normally also the common name).
Can I let freeRADIUS to check if username in the users file or other database? If not, reject user.
Yes. Configure that:
bob Auth-Type := Reject
Alan DeKok.
Sebastian -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --------------------------------- 天生购物狂,狂抢购物券,你还等什么!