Martin, If you want to leverage the existing user profiles in the RADIUS server for authentication, authorization, this Internet Draft TLS-EAP Extension http://tools.ietf.org/html/draft-nir-tls-eap-06 might be what you are looking for. Unfortunately, there is no implementation up to date as far as I know. I am designing and developing the software for this Internet draft based on OpenSSL, EAP module from wpa-supplicant and freeradius client. Please let me know any special requirements if you are interested in using TLS-EAP Extension. Thanks, jay On Wed, Jul 1, 2009 at 2:14 PM, Alan DeKok<aland@deployingradius.com> wrote:
Martin Schneider wrote:
We need also authorization. So we want to
1.) check if the certificate is signed by a "trusted ca"
That is done by the normal certificate validation process.
2.) check if the username x in the certificate is "known"
What does that mean? If the CA signed the certificate, then the usename is known. Why would the CA sign a certificate for an unknown user?
3.) check if the user with name x is authorized to access the service.
That can be done with RADIUS.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html