Help on TLS+Active Directory
gera
gera at gera.me
Wed Dec 2 17:23:03 CET 2009
On Wednesday 02 December 2009 12:05:14 am Alan DeKok wrote:
> gera wrote:
> > BUT, we noted an interesting behaviour. If the client specify Windows to
> > use another username to login, although freeradius complaints that the
> > user doesn't exist on ldap, it seems it still accepts this user, as long
> > as the certificate is fine.
>
> That's how EAP-TLS works.
Ok, I understand. But, is it any way in what we can only take care of the
commonName on the certificate, ignoring what the user is sending in?
>
> > So, in this case, if the user isn't allowed to login
> > because of simultaneous use, he still can change the username which he
> > uses specifying another one (whichever, even if it doesn't exist) and
> > voilá! He can now log in.
> >
> > I'm sure I'm missing something, but I'm not sure what.
>
> You need to update the CRL to revoke the certificate. The user then
> can't use it for authentication.
But in this case, the user will no longer be able to login to the system,
until he gets a new certificate, right?
More information about the Freeradius-Users
mailing list