EAP-TLS: restricting CA certificate use to a subset of identities

Edgar Fuß ef at math.uni-bonn.de
Mon Jun 28 12:16:38 CEST 2010


Whein using EAP-TLS, is there any sane way of restricting the use of a CA Certificate to a subset of the possible identities? I.e., is it possible to configure a single FreeRADIUS 2 server to accept users @foo.my.domain only if their Certificates are signed with CA-Cert.foo and users @bar.my.domain only if theirs are signed with CA-Cert.bar?

It looks a bit tough because (if I got it right) eap.conf doesn't use unlang and no information whatsoever from the CA Certificate used for verification is available as an attribute.

Alternatively, is it possible to log the name of the CA certificate on successful login? So that even if the logged user identity is user at foo.my.domain the log shows that the user cert was actually issued by bar.my.domain.

Thanks for any hints.



More information about the Freeradius-Users mailing list