10 Jan
2012
10 Jan
'12
1:36 p.m.
On 10 Jan 2012, at 2:27 PM, Alan DeKok wrote:
Would there be any ill effects if the rlm_eap_tls certificate parsing was moved from the authenticate section to the authorize section?
Likely not. But the difficulty is doing that *only* for the EAP-TLS code. The EAP modules currently do all of their work in the "authenticate" section, for good reason. Nearly everything in EAP is based on authentication. So doing the work in another section would be hard.
Hmmm... I think I have worked around my problem for now with the check_client_san patch, as with it I can enforce that User-Name matches the subjectAltName, and then use the User-Name as the key for authorization. Regards, Graham --