i begin setting up configuration. bit i got two problems : client with good certificate can be authenticated even if they're not in "users" file. I assume it's due to my code. Here is under authenticate section of default : Auth-Type eap { eap if ( "%{TLS-Client-Cert-Subject}" =~ /\/xxxxxxxx\// ) { if ( "%{TLS-Client-Cert-Subject}" =~ /\/xxxxxxxxxxx\// ) { ok } else { fail } It's like when condition is checked, it bypassed "users" file. Maybe, i must move these lines under authorize ? anyone to confirm it ? cheers
Date: Mon, 4 Feb 2013 10:32:22 -0500 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: [EAP/TLS] Authenfication through a certificate
vazoumana fofana wrote:
i've got question about EAP/TLS and authentification for a client through a certificate ? I succeed setting up. But , i notice that freeradius matches client login with certificate CNAME. Is it possible to change it in order to match email instead of CNAME ?
Yes.
Read the eap.conf file, and the raddb/sites-available/default. This is documented.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html