:)
Lars Viklund wrote:
> Promise that it "must" is a bit strong :-) However, I would say that
> a NAS that doesn't do this is broken.
so, you are stating the same :)) well, i would say, the first Radius
client MUST do so, because otherwise what could it probably put inside
of User-Name and why?
>> i believe it, too. i just have some doubts in the situation
>> mentioned in my previous mail. i could be wrong, though :) but you
>> still should prove it.
>
> Yes, but note that just adding this check will not close the hole we
> discussed previously since the rlm_eap_tls module currently doesn't
> seem to check the EAP identity.
so you want the rlm_eap_tls to check if eap_id = certified identity,
right? sounds very reasonable for me, but in some weird way, Windows XP
gives the possibility to use a certificate and explicitely type in some
name which has to be put in eap_identity then.
so we probably shouldn't verify that...
ciao
artur
--
Artur Hecker Groupe Acc�s et Mobilit�
hecker[at]enst[dot]fr D�partement Informatique et R�seaux
+33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr ENST Paris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- Re: eap_identity or username attribute? (to Artur and lars) James Xie
- Re: eap_identity or username attribute? (to Artur and la... Artur Hecker
- RE: eap_identity or username attribute? (to Artur and la... Lars Viklund
- RE: eap_identity or username attribute? (to Artur and la... Lars Viklund
- RE: eap_identity or username attribute? (to Artur and la... Lars Viklund
- RE: eap_identity or username attribute? (to Artur and la... Lars Viklund
