EAP-TLS CN Check Question

[David Mitchell]

Greetings,

I'm working with the EAP-TLS configuration and one thing I'd like to do
is to be able to restrict a certificate to use on a specific device. In
most cases, I can get this to work:
check_cert_cn = %{User-Name}-%{Calling-Station-Id}

However, by default WindowsXP is using the value of CN from the
certificate as the username so I get a value which matches
check_cert_cn = %{User-Name}
making it hard to integrate the Calling-Station-Id into the comparison.
Full regexp comparisons don't seem to be available, at least that used
to be the case based on my reading of the mailing list archives.

Is there some other way to accomplish this? I was thinking if perhaps
the certificate attributes ended up in a place where I could perform
more thorough unlang comparisons I could get the same effect. The
authentication eventually passes through the users file, and the
User-Name and Calling-Station-Id should be available there but I don't
know if I can access the CN or other certificate attributes there. Does
anybody know if this is possible?

As a fallback, I can have the XP users jump through more configuration
hoops, or put only the Calling-Station-Id into the CN but I do like
having the username in there as well. Thanks in advance,

-David Mitchell


-- 
-----------------------------------------------------------------
| David Mitchell (mitchell at ucar.edu)       Network Engineer IV  |
| Tel: (303) 497-1845                      National Center for  |
| FAX: (303) 497-1818                      Atmospheric Research |
-----------------------------------------------------------------