using SSL certs with EAP-TLS
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Mon Apr 4 21:36:53 CEST 2016
Hi,
> I better understand what
> check_cert_cn = %{User-Name}
> does; please correct me if I'm wrong.
>
> It is in no way a check of Issuer of the certificate with the root CA.
> It is only a check if the username that was entered is the same as the
> CN of the client cert.
in the example mentioned, yes.
> So I guess it's nice to have learned this for now, but this doesn't help
> me in authentication for only (lets say) the client certs
> bob at example.com and alice at example.com. Now I better understand your hint
> of proxying. Thanks for helping a FreeRadius newbe!
for other checks , unlang parsing with TLS-Client-Cert-CN can verify if the CN matches
something that you've handed out - your realm, for example, shouldnt be present
int he CN from commercial CAs as noone else owns it/has authority (unless something
interesting is going on in your company.....) - likewise, OCSP can also be used to
verify if the cert is valid/current (more advanced methods also involve cert CNs being registered
and looked up in SQL or rejected!)
alan
More information about the Freeradius-Users
mailing list