TLS Check Cn Question
David Mitchell
mitchell at ucar.edu
Thu May 26 17:31:13 CEST 2011
On May 26, 2011, at 1:25 AM, Alan DeKok wrote:
> David Mitchell wrote:
>> currently I'm using the check_cert_cn option in my EAP-TLS setup. I think
>> I may have the need to support two possible CN formats. Is there any
>> way to do a conditional check?
>
> Your message contains the answer to that question.
>
>> I don't think the eap.conf file is
>> unlang interpreted so I don't think I can include full regexp or if-then
>> conditionals can I? Is there some other way to accomplish this? The
>> docs mention possibly doing this by checking TLS-Client-Cert-CN but
>> I'm not sure where exactly I would do that. Thanks in advance,
>
> The CN is just a string. Check it like you would check any string.
Well yes, that's true. I'm just not sure where the best place to put the
check is since I don't believe eap.conf is unlang interpreted. Should it
go into the sites-enabled/default post-auth section? That's really the
piece that's not clear to me is where I can put the more sophisticated
checks. I think I can write them once I have an idea of where to put them.
Thanks in advance,
-David Mitchell
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-----------------------------------------------------------------
| David Mitchell (mitchell at ucar.edu) Network Engineer IV |
| Tel: (303) 497-1845 National Center for |
| FAX: (303) 497-1818 Atmospheric Research |
-----------------------------------------------------------------
More information about the Freeradius-Users
mailing list