Using X.509 Cert. subject and issuer for authorization with EAP-TLS

Jouni Malinen j at
Sun Apr 13 09:26:32 CEST 2008

On Sat, Apr 12, 2008 at 05:41:44PM +0200, Alan DeKok wrote:

>   Yes, I would use the User-Name for VLAN assignment.  I would also use
> check_cert_cn to be sure that they didn't lie about the User-Name.

There should not really be any requirement for User-Name
(EAP-Response/Identity) to match with CN in case of EAP-TLS.. The
EAP-Response/Identity is mainly for routing and it is sent in clear, so
requiring it to match with CN would prevent identity privacy.

>   Which is why it's there.  Honestly, I don't see why you're so shocked
> about it.  You seem to be saying that check_cert_cn is a bad idea,
> because you have to *use* it to prevent people from lying.

But check_cert_cn is indeed a bad idea in many cases.. RFC 2716bis draft
is changing the identity verification to "SHOULD NOT" require identities
(EAP-Identity and CN) to be identical.. Identity from
EAP-Response/Identity is mainly for routing purposes and things like
VLAN selection should really use information from the client certificate
(in case of EAP-TLS) instead.

If someone is willing to write a submission for this, it would be very
useful to be able to use information from various certificate attributes
to decide what to do with the request after the EAP-TLS authentication
has been completed. This would make it possible to disable check_cert_cn
and would even allow use of groups (i.e., not just list of every
possible identity string) for VLAN assignment.

Jouni Malinen                                            PGP id EFC895FA

More information about the Freeradius-Devel mailing list