Problem with EAP/TLS and XP SP2

Ben Walding ben.walding at gmail.com
Mon Nov 7 05:09:38 CET 2005


On 11/6/05, Alan DeKok <aland at ox.org> wrote:
>
> Hal Pomeranz <hal at deer-run.com> wrote:
> > I don't fully understand from the docs what
> > this parameter is doing exactly. Is this supposed to work? Is there
> > some configuration (perhaps in my users file) that I'm missing? What
> > is the impact of NOT setting this parameter?
>
> The issue is that the User-Name attribute may be different than the
> CN in the certificate. i.e. I steal your certificate and use it.
>
> This check tries to ensure that the person using the certificate is
> the one who's supposed to be using it.
>
> The impact of not setting it is usually minor.
>
>
We've found in testing that the XP supplicant (with certain patches) will
read the certificate and send a User-Name that is constructed from the
certificate CN (host/ + cert CN); thus rendering the whole "checking the CN
process" fairly pointless for XP supplicants.


Cheers,

Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051107/5a9b8c30/attachment.html>


More information about the Freeradius-Users mailing list