Problem with EAP/TLS and XP SP2
Michael Griego
mgriego at utdallas.edu
Mon Nov 7 16:46:25 CET 2005
Ben Walding wrote:
> We've found in testing that the XP supplicant (with certain patches)
> will read the certificate and send a User-Name that is constructed
> from the certificate CN (host/ + cert CN); thus rendering the whole
> "checking the CN process" fairly pointless for XP supplicants.
This is only true when a certificate is used for machine authentication,
not for user authentication.
The true point of the check_cert_cn option is to ensure that any
attributes added during authorization are ensured to be matched to the
certificate. This way, you can be sure that, for instance, a user that
has a bandwidth-limiting attribute added to the reply us truly
authenticating as that user, not just presenting an identity with
greater privileges and authenticating as a user with lower privileges.
To get around the the problem stated above, all you have to do is create
two instances of the EAP module. In cases where the User-Name attribute
begins with "host/", just send those authentications to the second EAP
module, and have the check_cert_cn parameter set to check for
"host/%{User-Name}". This way you can still be assured of proper
authorization.
--Mike
More information about the Freeradius-Users
mailing list