On Nov 20, 2017, at 4:27 PM, Brian Julin <BJulin@clarku.edu> wrote:
Oh... are you talking about setting the EAP-TLS-Require-Client-Cert control item?
Yes.
If so, the problem with that is: how do you know when to do that?
Policy... usually looking up user name / device / whatever in a DB.
It's undoubtably a useful feature for people who have a reliably consistent database of all identifiers that should present a cert, but in some environments that's just too chaotic to pull off... e.g. when users can nuke and reinstall an OS or multi-boot.
Well... if the user screws up their system, the safest thing to do is reject them. If they should have a cert, then the server shouldn't make it optional. If they shouldn't have a cert, why would they present one? Where would they get it from? It's always better to understand what to do, and to do it right. Guessing is almost always bad.
Anyway I didn't mean to derail the user list. I could take this to a github issue unless there's a better place for wishlist stuff. Thanks for the clarifications.
That's fine. Alan DeKok.