Check for Certificate AND Username

Alan DeKok aland at deployingradius.com
Fri Sep 14 17:31:16 CEST 2007


Wolfgang Burger wrote:
> Well, there is another Radius-Server (DRAS, running under VMS,
> controlled by someone else) where all the users are listet.
> I just thougt it would be very nice to check for a username/password, to
> make sure that noone gives away his certificate in any way.

  Then use EAP-TTLS instead of EAP-TLS.  You can then proxy the internal
username/password information.  With EAP-TLS, there is no username or
password, so you can't proxy anything.

> And, and this is more important, it is possible that someone is blocked
> on the other server but still has a valid certificate.
> By proxing the request, that user would be blocked.
> Any other idea how to do this?

  Revoke the client certificate.

  Alan DeKok.



More information about the Freeradius-Users mailing list