Hello Artur, On Sun, 21 Mar 2004, Artur Hecker wrote:
> > Trouble is: There is no connection between the two. Assume the following > > situation: > > yes. the issue is known though: it has been discussed several times on > the list so far (please, search the archives). i think, raghu was the > first to mention it but i could be wrong... > I seem to be completly incapable to dig for this information (tried it before, tried it again right now, will try it again, I just seem to be unable to come up with the right search words - this is an unusual experience - am I getting old?). I appologize for any noise I therefore "have" to generate here. > the trouble with this is that people have different understandings of > what should be in the User-Name. Windows XP e.g. automatically puts the > CN in it (but as you said before, you can override it). however, the > mail address would be a reasonable alternative to CN. the problem is > even worth when you are using proxying, since the CN typically will not > contain the realm but the User-Name should do so if you want proxying to > happen, so typically you can not just strcmp the strings but need some > handler for that. briefly, it depends on what you certify and what you > do with it. Personally, I favour a UID field within the certificate, but others have different requirements, agreed. > so, it's still unresolved because the requirements vary a lot. I can live with this, as long as there is _some_ way to solve this. > > Is this possible with current sources? Anybody working on it? Would this > > be simple to add? It seems the current EAP-TLS implementation in > > yes, in the EAP-TLS module you can add a line to check whether the > EAP-Identity (which is always equal to the User-Name if you trust your > NASes) equals whatever you have in the certificates, e.g. the CN. Can you give any hints? I briefly looked at the source to find any "hidden" configuration options but couldn't find anything tha looked promising at first sight. > you can also write an external authorization script which would do that > checking. the certified content is not encrypted, so you can freely read it. > > i think there are more solutions in the list-archive, search it. :-) ... still trying > all issues you talk about are true: accounting without any changes is a > problem. as explained above, due to the quite different requirements > there is imho no such thing as a general solution. There never is... thanks for your quick reply peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
