using SSL certs with EAP-TLS

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Mon Apr 4 12:05:32 CEST 2016


Hi,

> I would like to ask the following question. Is there something I can
> configure on the server side that only certain CommonName's and/or
> serial's can be used to authenticate correctly?

yes check_cert_cn , TLS-Client-Cert-CN , theres also the dynamic OSCP check you can do -
but the best thing to do it use a privtae CA for a EAP-TLS system.

as for the username - thats the 'outerid' as such - allowing proxying of the to-be-commenced
authentication - protecting the real user id from the local RADIUS ssytem, allowing proxying etc
without the EAP engine of the local server to be invoked.  user at othersite.com - proxied
off (as the client wont be able to talk to YOUR RADIUS server - think 'eduroam' :-) )


alan


More information about the Freeradius-Users mailing list