Hi,
I better understand what check_cert_cn = %{User-Name} does; please correct me if I'm wrong.
It is in no way a check of Issuer of the certificate with the root CA. It is only a check if the username that was entered is the same as the CN of the client cert.
in the example mentioned, yes.
So I guess it's nice to have learned this for now, but this doesn't help me in authentication for only (lets say) the client certs bob@example.com and alice@example.com. Now I better understand your hint of proxying. Thanks for helping a FreeRadius newbe!
for other checks , unlang parsing with TLS-Client-Cert-CN can verify if the CN matches something that you've handed out - your realm, for example, shouldnt be present int he CN from commercial CAs as noone else owns it/has authority (unless something interesting is going on in your company.....) - likewise, OCSP can also be used to verify if the cert is valid/current (more advanced methods also involve cert CNs being registered and looked up in SQL or rejected!) alan