Morning, On 6-4-2016 09:31, Stefan Winter wrote:
Ah, well that's a reason for using a commercial CA for the client certs indeed. As others have pointed out, attributes like TLS-Client-Cert-CN can be used to compare the cert name against a list of known-good names. Of course you'll have to manage that list of names yourself in config; on a scale of "handful" that's not a problem I guess. But on a larger scale, it will get bothersome.
Thanks alan and Stefan, I followed your hint of TLS-Client-Cert-Common-Name and used the example from http://security.stackexchange.com/questions/85239/freeradius-eap-tls-authent... and now my config not only checks the validity of the certificate but also that the CommonName matches one of the few domains I control. Cheers, Wouter