On 08 Jan 2012, at 5:01 PM, Alan DeKok wrote:
When using client certificates in EAP-TLS, the check_cert_cn option exists that allows you to check that the username matches the CN. Is there a corresponding option somewhere that will allow you to verify the User-Name against the subjectAltName instead?
In the latest version of the server, see raddb/sites-available/default. Look for TLS-Cert
That wasn't quite what I was after, but rather a generic way to ensure the User-Name matches either dnsName or rfc822Name in the subjectAltName, depending on whether the peer was a host or a person. Turned out the patch to implement this was simple, for freeradius-server-master: And this is the same patch, backported to v2.1.x: It adds a check_user_san option, which some googling showed past people have asked about. Regards, Graham --