using SSL certs with EAP-TLS

Wouter radius at occult.nl
Sun Apr 17 07:14:01 CEST 2016


Morning,

On 6-4-2016 09:31, Stefan Winter wrote:
> Ah, well that's a reason for using a commercial CA for the client certs
> indeed. As others have pointed out, attributes like TLS-Client-Cert-CN
> can be used to compare the cert name against a list of known-good names.
> Of course you'll have to manage that list of names yourself in config;
> on a scale of "handful" that's not a problem I guess. But on a larger
> scale, it will get bothersome.

Thanks alan and Stefan, I followed your hint of 
TLS-Client-Cert-Common-Name and used the example from
http://security.stackexchange.com/questions/85239/freeradius-eap-tls-authenticate-based-on-client-certificate-cn
and now my config not only checks the validity of the certificate but 
also that the CommonName matches one of the few domains I control.

Cheers,
Wouter


More information about the Freeradius-Users mailing list