Ben Walding wrote:
> We've found in testing that the XP supplicant (with certain patches)
> will read the certificate and send a User-Name that is constructed
> from the certificate CN (host/ + cert CN); thus rendering the whole
> "checking the CN process" fairly pointless for XP supplicants.
This is only true when a certificate is used for machine authentication,
not for user authentication.
Ahh, this explains a thing or two! We knew we'd seen behaviour where it sent the machine name rather than the name of the certificate earlier in our testing. But couldn't replicate it (since we had locked everything down to machine auth by the final stages).
To get around the the problem stated above, all you have to do is create
two instances of the EAP module. In cases where the User-Name attribute
begins with "host/", just send those authentications to the second EAP
module, and have the check_cert_cn parameter set to check for
"host/%{User-Name}". This way you can still be assured of proper
authorization.
We added a few lines into hints -
DEFAULT Prefix == "host/"
Hint = "Wireless-Workstation"
DEFAULT Prefix == "host\\"
Hint = "Wireless-Workstation"
DEFAULT Prefix == "\\"
Hint = "Wireless-PDA"
This resolved the issues we saw with prefixes and let us identify PDAs as they authenticated into the system (not that we do anything with this piece of information).
Cheers,
Ben
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
