Using X.509 Cert. subject and issuer for authorization with EAP-TLS
j at w1.fi
Sun Apr 13 09:26:32 CEST 2008
On Sat, Apr 12, 2008 at 05:41:44PM +0200, Alan DeKok wrote:
> Yes, I would use the User-Name for VLAN assignment. I would also use
> check_cert_cn to be sure that they didn't lie about the User-Name.
There should not really be any requirement for User-Name
(EAP-Response/Identity) to match with CN in case of EAP-TLS.. The
EAP-Response/Identity is mainly for routing and it is sent in clear, so
requiring it to match with CN would prevent identity privacy.
> Which is why it's there. Honestly, I don't see why you're so shocked
> about it. You seem to be saying that check_cert_cn is a bad idea,
> because you have to *use* it to prevent people from lying.
But check_cert_cn is indeed a bad idea in many cases.. RFC 2716bis draft
is changing the identity verification to "SHOULD NOT" require identities
(EAP-Identity and CN) to be identical.. Identity from
EAP-Response/Identity is mainly for routing purposes and things like
VLAN selection should really use information from the client certificate
(in case of EAP-TLS) instead.
If someone is willing to write a submission for this, it would be very
useful to be able to use information from various certificate attributes
to decide what to do with the request after the EAP-TLS authentication
has been completed. This would make it possible to disable check_cert_cn
and would even allow use of groups (i.e., not just list of every
possible identity string) for VLAN assignment.
Jouni Malinen PGP id EFC895FA
More information about the Freeradius-Devel