rlm_eap_tls: authenticate instead of authorize?
Graham Leggett
minfrin at sharp.fm
Tue Jan 10 19:36:20 CET 2012
On 10 Jan 2012, at 2:27 PM, Alan DeKok wrote:
>> Would there be any ill effects if the rlm_eap_tls certificate parsing was moved from the authenticate section to the authorize section?
>
> Likely not. But the difficulty is doing that *only* for the EAP-TLS
> code. The EAP modules currently do all of their work in the
> "authenticate" section, for good reason. Nearly everything in EAP is
> based on authentication. So doing the work in another section would be
> hard.
Hmmm...
I think I have worked around my problem for now with the check_client_san patch, as with it I can enforce that User-Name matches the subjectAltName, and then use the User-Name as the key for authorization.
Regards,
Graham
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4365 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120110/402b4a04/attachment.bin>
More information about the Freeradius-Users
mailing list