hi
>>> If the realm is stripped away, wouldn't this work just
>> fine as long > as you just verify the User-Name against the
>> certificate and ignore > the EAP identity?>> e.g., but then you
>> propose to not verify the equality of all THREE fields.
>
>
> Yes. As we have discussed the important point is to verify that the
> User-Name used for authorization (and accounting) corresponds to the
> certificate used for authentication. The EAP identity shouldn't
> really matter if the User-Name is used directly for this
> verification.
ok, so we would agree at:
use some handler id_equality(..., ...) for the verification of the
equality of User-Name and the certified identity. make this handler
configurable in radius.conf. provide common radius variables and in
particular the realm suffixes and the configured realms to the handler
in some form. (the best would be to provide the standard handler in this
form, so everybody could modify the actual metrics).
something like that?
ciao
artur
--
Artur Hecker Groupe Acc�s et Mobilit�
hecker[at]enst[dot]fr D�partement Informatique et R�seaux
+33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr ENST Paris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- Re: eap_identity or username attribute? (to Artur and lars) James Xie
- Re: eap_identity or username attribute? (to Artur and la... Artur Hecker
- RE: eap_identity or username attribute? (to Artur and la... Lars Viklund
- RE: eap_identity or username attribute? (to Artur and la... Lars Viklund
- RE: eap_identity or username attribute? (to Artur and la... Lars Viklund
- RE: eap_identity or username attribute? (to Artur and la... Lars Viklund
- Artur Hecker
