user(name) and EAP-TLS
Klaus Klein
k.klein at gmx.de
Sat Aug 4 01:08:46 CEST 2012
Am 03.08.2012 22:06, schrieb Alan DeKok:
> Klaus Klein wrote:
>> I'm working on securing the access to a WLAN network with
>> WPA2-Enterprise, EAP-TLS and a FreeRADIUS server.
> Which uses certificates for authentication.
Correct.
>> Everything seemed to work as expected until realized that a client will
>> be authenticated (by eap) even if the user(name), provided with the
>> mandatory "identifier" entry in wpa_supplicant.conf, doesn't exist in
>> the users file.
> That's how EAP-TLS works.
Is it then correct that the 'check_cert_cn' option in eap.conf is the only way to prevent anyone on the client side to tamper with the identity entry, and thereby avoiding restrictions (e.g. Login-Time) for that client?
Or is ther a other/better way to tie any setting to a EAP-TLS authenticated client?
Cheers,
Klaus
More information about the Freeradius-Users
mailing list