On Sun, 21 Mar 2004, Alan DeKok wrote:
> Peter Stamfest <[EMAIL PROTECTED]> wrote: > > One solution would be to base the authorization on the content of the > > certificate (its DN or DN parts). > > > > Is this possible with current sources? > > If it's not in the current CVS, I do know there was a patch posted a > while back. My "patches" mail folder says: > > Nov. 26 Michael Griego [Patch] Add CN Checking for EAP-TLS authentication This patch is not in CVS. It seems not to apply anymore. > It's worse than that. Simultaneous-Use is problematic for *any* EAP > method. The AP often doesn't keep track of who's logged on, so > checrad doesn't work. It often doesn't supply things like NAS-Port, > so radutmp doesn't work. Agreed, I'm seeing this very effect in reality. I meant: Even if everything else would work perfectly on the technical side then users could still break it. > And when using certificates, TTLS and PEAP are problematic. There's > an "outer" User-Name, and an "inner" User-Name. Which one do you use? > You can send a User-Name back in an Access-Accept, but you need to > send the inner one, as the outer is often "anonymous". But if you do > that, everyone else on the network can see that inner > username... which was previously hidden in a TLS tunnel. > > It's not nice. Certainly not. peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
