user(name) and EAP-TLS

Klaus Klein k.klein at
Sat Aug 4 01:08:46 CEST 2012

Am 03.08.2012 22:06, schrieb Alan DeKok:
> Klaus Klein wrote:
>>   I'm working on securing the access to a WLAN network with
>> WPA2-Enterprise, EAP-TLS and a FreeRADIUS server.
>    Which uses certificates for authentication.

>> Everything seemed to work as expected until realized that a client will
>> be authenticated (by eap) even if the user(name), provided with the
>> mandatory "identifier" entry in wpa_supplicant.conf, doesn't exist in
>> the users file.
>    That's how EAP-TLS works.
Is it then correct that the 'check_cert_cn' option in eap.conf is the only way to prevent anyone on the client side to tamper with the identity entry, and thereby avoiding restrictions (e.g. Login-Time) for that client?

Or is ther a other/better way to tie any setting to a EAP-TLS authenticated client?


More information about the Freeradius-Users mailing list