4 Apr
2016
4 Apr
'16
6:05 a.m.
Hi,
I would like to ask the following question. Is there something I can configure on the server side that only certain CommonName's and/or serial's can be used to authenticate correctly?
yes check_cert_cn , TLS-Client-Cert-CN , theres also the dynamic OSCP check you can do - but the best thing to do it use a privtae CA for a EAP-TLS system. as for the username - thats the 'outerid' as such - allowing proxying of the to-be-commenced authentication - protecting the real user id from the local RADIUS ssytem, allowing proxying etc without the EAP engine of the local server to be invoked. user@othersite.com - proxied off (as the client wont be able to talk to YOUR RADIUS server - think 'eduroam' :-) ) alan