Question about windowsXP(Odessey Client) + EAP-TLS with freeRADIUS

Hangjun He elmerhe at
Fri Dec 14 03:08:23 CET 2007

Yes. It sounds good.
  Check common name in the certificate with databases(users or others).

s3b0 at 写道:
> Hangjun He wrote:
> > And I use EAP-TLS and with correct certs. Even if I set wrong
> > username in Odessey Client, freeRADIUS will return
> > success.(check_cert_cn not set).
> EAP-TLS authenticates users based on certificates. It ignores the
> user name.

i think, thats not completely correct. when you use eap-tls, the username in the radius-packet is the common name of your certificate. so you can check in the users file against the common name, and reject specific common names...

if you set check_cert_cn to "yes", then the server will compare the common name of the certicate with the user-name in the radius packet (as i said, this is normally also the common name). 

> > Can I let freeRADIUS to check if username in the users file or other
> > database? If not, reject user.
> Yes. Configure that:
> bob Auth-Type := Reject
> Alan DeKok.

Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! 
Ideal für Modem und ISDN:
List info/subscribe/unsubscribe? See

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list