Hello,
When you use authentication via eap-tls it is possible to send user-names in
radius which didn't match the user-name in the client-certificate. In such a
case the user gets authenticated with a wrong user-name. Accouting
information will be saved with a wrong user-name. Someone can spoof the
identity of someone else.
To avoid this certificates should be rejected. Here a diff to
freeradius-snapshot-20040122.
--- src/modules/rlm_eap/types/rlm_eap_tls/cb.c 2004-01-23 08:25:33.000000000
+0100
+++ src/modules/rlm_eap/types/rlm_eap_tls/cb.c 2004-01-23 08:34:06.000000000
+0100
@@ -143,6 +143,23 @@
break;
}
+ /*
+ * Check user-name in client certificate.
+ * Should be the same as in radius packet.
+ */
+ if (depth == 0 ) {
+ /* This is a client certificate */
+ user_name, buf );
+ if( strcmp(user_name,buf) != 0 )
+ {
+ radlog(L_ERR, "User-Name in Radius didn't match "
+ "client-Certificate: Radius = %s , Certificate = %s",
+ user_name, buf);
+ ok=0;
+ }
+ }
+
+
if (debug_flag > 0) {
radlog(L_INFO, "chain-depth=%d, ", depth);
/*
regards
Gunter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
