Logging EAP-TLS certificate details
Alan DeKok
aland at deployingradius.com
Thu Mar 25 15:08:38 CET 2021
I'm sorry, but you're still completely missing my points. Matthew and I have both explained them in great detail, so it's not clear why they're not coming across.
In short, it is your responsibility to ensure that your local site is secure. The default configuration works most of the time, for most people.
We know that vendors do all kinds of stupid things. We know that many fields can be spoofed.
We know that when vendors break EAP / RADIUS, there are situations where the default configuration will not work.
It is IMPOSSIBLE for us to anticipate every possible situation that uses FreeRADIUS. It is IMPOSSIBLE for us to update the default configuration with examples for every possible site. It is IMPOSSIBLE for the default configuration to log all of the possible information which is needed by all possible networks.
The most we can do is to update the documentation to say "Hey, please be aware of this problem, and here are some options for addressing it".
When you ask for options in the default configuration to do this, our response is "edit the config files". You DO have options already. What is IMPOSSIBLE is an on/off flag for every possible situation.
Sorry, but that's the reality. Blaming us, attacking us, or implying that we're idiots is just not the correct response.
Alan DeKok.
More information about the Freeradius-Users
mailing list