EAP-TLS: restricting CA certificate use to a subset of identities

[Edgar Fuß]

> You can configure 2 EAP modules
Ah, thanks. That looks a lot less insane than two RADIUS servers.

> and have requests for different domains be handled by different modules.
But how do I direct certain users to an instance of the eap module?
Inside the eap module, I have check_cert_cn, but I would need to check the User-Name attribute against a fixed pattern.
It's probably easy, but I'm no FreeRADIUS expert.