On Wednesday 02 December 2009 12:05:14 am Alan DeKok wrote:
gera wrote:
BUT, we noted an interesting behaviour. If the client specify Windows to use another username to login, although freeradius complaints that the user doesn't exist on ldap, it seems it still accepts this user, as long as the certificate is fine.
That's how EAP-TLS works.
Ok, I understand. But, is it any way in what we can only take care of the commonName on the certificate, ignoring what the user is sending in?
So, in this case, if the user isn't allowed to login because of simultaneous use, he still can change the username which he uses specifying another one (whichever, even if it doesn't exist) and voilá! He can now log in.
I'm sure I'm missing something, but I'm not sure what.
You need to update the CRL to revoke the certificate. The user then can't use it for authentication.
But in this case, the user will no longer be able to login to the system, until he gets a new certificate, right?