> From: Artur Hecker [mailto:[EMAIL PROTECTED]] > Sent: den 20 november 2002 19:16 > To: [EMAIL PROTECTED] > Subject: Re: eap_identity or username attribute? (to Artur and lars)
> > If the realm is stripped away, wouldn't this work just > fine as long > as you just verify the User-Name against the > certificate and ignore > the EAP identity? > > e.g., but then you propose to not verify the equality of all > THREE fields. Yes. As we have discussed the important point is to verify that the User-Name used for authorization (and accounting) corresponds to the certificate used for authentication. The EAP identity shouldn't really matter if the User-Name is used directly for this verification. I think verifying that the User-Name matches the EAP identity is more of a sanity check that can be ignored, without affecting security, if that simplifies the scenarios you are thinking about. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
