Support for check_cert_subjectAltName?
Phil Mayers
p.mayers at imperial.ac.uk
Sun Jan 8 23:22:23 CET 2012
On 01/08/2012 08:28 PM, Alan DeKok wrote:
>> Turned out the patch to implement this was simple, for freeradius-server-master:
>
> I'd prefer a patch which creates an attribute, just like the
> TLS-Cert-* attributes. The reason is that policies can be created by
> the administrator. A hard-coded check is likely more code and less
> flexible.
Isn't there a problem with that approach though? Namely, that the TLS-*
attributes aren't available in the "authorize" section (because the eap
module, and all the EAP methods, do their with in "authenticate"). But
in post-auth, turning an accept into a reject is fraught, and bad practice?
This comes up occasionally when people want to check the TLS-*
attributes and act on them (as opposed to logging them).
Or am I missing something? We don't use EAP-TLS so it's entirely possible.
More information about the Freeradius-Users
mailing list