Question about windowsXP(Odessey Client) + EAP-TLS with freeRADIUS

s3b0 at gmx.de s3b0 at gmx.de
Thu Dec 13 12:35:07 CET 2007


> Hangjun He wrote:
> >    And I use EAP-TLS and with correct certs.  Even if  I set wrong
> > username in Odessey Client, freeRADIUS will return
> > success.(check_cert_cn not set).
> 
>   EAP-TLS authenticates users based on certificates.  It ignores the
> user name.

i think, thats not completely correct. when you use eap-tls, the username in the radius-packet is the common name of your certificate. so you can check in the users file against the common name, and reject specific common names...

if you set check_cert_cn to "yes", then the server will compare the common name of the certicate with the user-name in the radius packet (as i said, this is normally also the common name). 

> 
> >     Can I let freeRADIUS to check if username in the users file or other
> > database?  If not, reject user.
> 
>   Yes.  Configure that:
> 
> bob	Auth-Type := Reject
> 
>   Alan DeKok.
> 

Sebastian
-- 
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! 
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer



More information about the Freeradius-Users mailing list