TLS: assigning certificates to username

A.L.M.Buxey at A.L.M.Buxey at
Thu May 5 21:11:25 CEST 2016


> So in fact I revise my previous statement, if your cert contains an NAI in the CN part of the subject, your system administrator is an idiot.

but if we are being pragmatic.. subjectAltName used for proxying decisions in EAP-TLS? 

the commonname is used - therefore , unless ALL RADIUS servers are under your control/remit/purview
you have to work with the lowest common denominator...and in eg global RADIUS federated systems such as
eduroam - that means using CommonName for the NAI location.    obviously, for internal systems,
you could bury the userinfo ANYWHERE in the cert....even use a nice local private x509 extension....


More information about the Freeradius-Users mailing list