using SSL certs with EAP-TLS

Wouter radius at occult.nl
Mon Apr 4 21:29:14 CEST 2016


Dear Alan,

On 04-04-16 12:05, A.L.M.Buxey at lboro.ac.uk wrote:
> yes check_cert_cn , TLS-Client-Cert-CN , theres also the dynamic OSCP check you can do -
> but the best thing to do it use a privtae CA for a EAP-TLS system.
> as for the username - thats the 'outerid' as such - allowing proxying of the to-be-commenced
> authentication - protecting the real user id from the local RADIUS ssytem, allowing proxying etc
> without the EAP engine of the local server to be invoked.  user at othersite.com - proxied
> off (as the client wont be able to talk to YOUR RADIUS server - think 'eduroam' :-) )

Thanks a lot. Also after reading
http://serverfault.com/questions/410495/how-many-user-supplicant-certificates-are-needed-for-wpa2-enterprise-on-a-small

I better understand what
	check_cert_cn = %{User-Name}
does; please correct me if I'm wrong.

It is in no way a check of Issuer of the certificate with the root CA.
It is only a check if the username that was entered is the same as the
CN of the client cert.

So I guess it's nice to have learned this for now, but this doesn't help
me in authentication for only (lets say) the client certs
bob at example.com and alice at example.com. Now I better understand your hint
of proxying. Thanks for helping a FreeRadius newbe!

Wouter


More information about the Freeradius-Users mailing list