EAP-TLS and user name
aland at deployingradius.com
Fri Jul 25 14:10:39 CEST 2014
Sven_Menschner at drewag.de wrote:
> we have setup a freeradius server for WLAN authentication. We have
> deployed a PKI to use EAP-TLS and everything runs fine so far.
> But I am wondering if the user name provided by the supplicant is used by
> freeradius at all when using this authentication method.
> I have tested these scenarios:
Only if you add configuration to check it.
> If I provide a wrong user name in the supplicant configuration (it doesn't
> match the user name in client certificate), authentication still works.
That's how EAP-TLS works. If the certificate is OK, it doesn't really
matter what *else* is supplied as part of the user authentication.
> So is it checked at all? If so, does that imply that everyone is able get
> authenticated as soon as he gets the client certificate, even if he
> doesn't know the users identity?
The client certificate *is* the users identity.
> So some explanation about the relation between EAP-TLS and the user store
> would be great...
EAP-TLS users identify themselves. They don't need a "user store".
The certificate is their user store.
More information about the Freeradius-Users