> Hangjun He wrote: > > And I use EAP-TLS and with correct certs. Even if I set wrong > > username in Odessey Client, freeRADIUS will return > > success.(check_cert_cn not set). > > EAP-TLS authenticates users based on certificates. It ignores the > user name.
i think, thats not completely correct. when you use eap-tls, the username in the radius-packet is the common name of your certificate. so you can check in the users file against the common name, and reject specific common names... if you set check_cert_cn to "yes", then the server will compare the common name of the certicate with the user-name in the radius packet (as i said, this is normally also the common name). > > > Can I let freeRADIUS to check if username in the users file or other > > database? If not, reject user. > > Yes. Configure that: > > bob Auth-Type := Reject > > Alan DeKok. > Sebastian -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
