rlm_eap_tls: authenticate instead of authorize?
minfrin at sharp.fm
Tue Jan 10 19:36:20 CET 2012
On 10 Jan 2012, at 2:27 PM, Alan DeKok wrote:
>> Would there be any ill effects if the rlm_eap_tls certificate parsing was moved from the authenticate section to the authorize section?
> Likely not. But the difficulty is doing that *only* for the EAP-TLS
> code. The EAP modules currently do all of their work in the
> "authenticate" section, for good reason. Nearly everything in EAP is
> based on authentication. So doing the work in another section would be
I think I have worked around my problem for now with the check_client_san patch, as with it I can enforce that User-Name matches the subjectAltName, and then use the User-Name as the key for authorization.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4365 bytes
Desc: not available
More information about the Freeradius-Users