Help on TLS+Active Directory

[gera]

Hi.

Need some help to understand this combination.

I'm trying to setup EAP-TLS + Active Directory Authentication on a wireless 
mobility controller. 

This mob con has this Portal Captive feature. To start testing, I configured 
freeradius as a ldap client for Active Directory, using the Administrator 
account to bind to it, and using commonname as a filter. Then I configured the 
portal captive from the mob-con to authenticate through the radius server, and 
it worked fine, even using the simultaneous-use attribute. 

Then, I tried to go ahead configuring EAP-TLS. At first I recompiled the source 
code to include support for ssl. Then I created the certs on freeradius using 
the Makefile which comes on the package. I signed up the client certificates 
using the CA ones, not the server ones. Next, I configured the corresponding 
sections on eap.conf and default (enabling eap) and started freeradius -X.

After copying the certificates to the Windows Vista machines, I started the 
association. Everything was well, and the client authenticated without 
problems. Even trying to use the same certificate on another machine reached 
the simultaneous-use count and didn't allow the client to connect. 

BUT, we noted an interesting behaviour. If the client specify Windows to use 
another username to login, although freeradius complaints that the user 
doesn't exist on ldap, it seems it still accepts this user, as long as the 
certificate is fine. So, in this case, if the user isn't allowed to login 
because of simultaneous use, he still can change the username which he uses 
specifying another one (whichever, even if it doesn't exist) and voilá! He can 
now log in.

I'm sure I'm missing something, but I'm not sure what.

Any clue?

Will supply log or conf files upon request (right now, I'm not sure what parts 
could be relevant to you).