EAP-TLS and user name

Alan DeKok aland at deployingradius.com
Fri Jul 25 14:10:39 CEST 2014

Sven_Menschner at drewag.de wrote:
> we have setup a freeradius server for WLAN authentication. We have 
> deployed a PKI to use EAP-TLS and everything runs fine so far.
> But I am wondering if the user name provided by the supplicant is used by 
> freeradius at all when using this authentication method.
> I have tested these scenarios:

  Only if you add configuration to check it.

> If I provide a wrong user name in the supplicant configuration (it doesn't 
> match the user name in client certificate), authentication still works.

  That's how EAP-TLS works.  If the certificate is OK, it doesn't really
matter what *else* is supplied as part of the user authentication.

> So is it checked at all? If so, does that imply that everyone is able get 
> authenticated as soon as he gets the client certificate, even if he 
> doesn't know the users identity?

  The client certificate *is* the users identity.

> So some explanation about the relation between EAP-TLS and the user store 
> would be great...

  EAP-TLS users identify themselves.  They don't need a "user store".
The certificate is their user store.

  Alan DeKok.

More information about the Freeradius-Users mailing list