Hello,
I have been playing around with EAP-TLS using freeradius (CVS from 2004-03-13 06:30 GMT), xsupplicant 0.8b (+minor patches), a Zyxel G-1000 AP and several Wireless cards. All the things take place on a mixture of linux machines. So far everything works quite well, including dynamic WEP keys, etc. However, the following troubles me, and I couldn't find any hints in the documentation, source or web regarding this, but maybe I was just looking in all the wrong places or I am misunderstanding something fundamental. If this is the case please just tell me. So: xsupplicant requires an "id" for authenticating to radius. This ID ends up as the User-Name in the radius request(s). I guess other 802.1x supplicant implementations do this similar. (Is this true?) Using EAP-TLS obviously requires a X509 certificate on the client side as well. The problem is that there is no connection between the certificate and the id / User-Name: * The User-Name can be freely chosen by the supplicant. This username is then used for authorization (NOT authentication) * The certificate gets used for authentication (NOT authorization) Trouble is: There is no connection between the two. Assume the following situation: Users A and B have been granted certificates from the same CA, but only user A should be granted wireless access. The radius server gets configured to accept certificates signed by the CA for EAP-TLS and the authorization section of freeradius only allows user A in. If user B configures his/her supplicant to use "A" for the id / User-Name and B's certificate, then B will be granted access based on the authorization of A and the authentication of B's certificate. One solution would be to base the authorization on the content of the certificate (its DN or DN parts). Is this possible with current sources? Anybody working on it? Would this be simple to add? It seems the current EAP-TLS implementation in freeradius does the TLS-handshake after the authorization phase (looking at the logs produced by "radiusd -X" seems to indicate this), which would make authorization based on certificate content look harder to implement for me.... On a side note: The very same issue seems to make it impossible to do any Simultanous-Use restrictions based on certificates. A user could just install the very same certificate on several machines and configure a different (allowed) User-Name for 802.1x. This would allow a single certificate to be used on more than one machine simultanously, blocking legitimate users and creating a DoS problem. peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
