using SSL certs with EAP-TLS
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Mon Apr 4 12:05:32 CEST 2016
Hi,
> I would like to ask the following question. Is there something I can
> configure on the server side that only certain CommonName's and/or
> serial's can be used to authenticate correctly?
yes check_cert_cn , TLS-Client-Cert-CN , theres also the dynamic OSCP check you can do -
but the best thing to do it use a privtae CA for a EAP-TLS system.
as for the username - thats the 'outerid' as such - allowing proxying of the to-be-commenced
authentication - protecting the real user id from the local RADIUS ssytem, allowing proxying etc
without the EAP engine of the local server to be invoked. user at othersite.com - proxied
off (as the client wont be able to talk to YOUR RADIUS server - think 'eduroam' :-) )
alan
More information about the Freeradius-Users
mailing list