On Mon, Feb 22, 2016 at 03:07:13PM +0100, Sylvain Munaut wrote:
The cert CN vs User-Name in EAP-TLS is a good example. If I hadn't seen that comment in check-eap-tls, I could have completely overlooked it and then anyone with a valid cert could just pretend to be someone else ...
EAP-TLS is based around one thing - if you can present a valid certificate then you are permitted to connect. There's no such thing as "pretending to be someone else". Yes, you could steal someone elses certificate and key. You could also steal their username and password for a different authentication method...
The very first time I configured FreeRadius, I fully expected that if a username wasn't anywhere in the DB, it would fail auth. Obviously that's no the case at all and that's not the way it works at all in RADIUS, but at the time, I didn't know any better.
check-eap-tls is for the slightly less usual situation where you want to do additional checks on the client certifiacte presented. It's not a "this is how you authenticate this person" - EAP-TLS authenticates everyone you've issued a certificate to by definition. The example case of check-eap-tls (which is the reason I wrote it) is that we have here a Microsoft domain where all domain joined PCs are issued certificates, and can therefore connect. But we want to limit the ones that can connect to a particular subset of machines. Usually you would just not issue certs to the PCs you didn't want to connect. That wasn't possible here, hence the possibility of an additional check to restrict what would normally be controlled elsewhere. This doesn't hold for other parts of FreeRADIUS. Users can log in because they're in the users file, or a database, etc. Adding them to those data sources is like issuing the certificate. Not having them in the database means they can't connect. FreeRADIUS doesn't just let anyone connect when you've not permitted them to. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>