kas mataz wrote: > We've noticed several people have posted their eap.conf for eap-tls > troubleshooting, and that both the check_cert_issuer and check_cert_cn > are commented out. In these configurations is freeradius just checking > for the certificate in the crl list and that the proper CA root is in > the CA_file on the freeradius server? > > What is gained by using check_cert_cn?
Some sanity checking. It's common across many different RADIUS servers. > When we have check_cert_cn enabled it seems that the User-Name is > translated differently from different types of devices. When a test user > with an iPhone tries to connect he receives errors, but the same > certificate on a Microsoft Vista wireless client is successfully > authenticated. We've seen this with both freeradius v1.1.7 and v2.1.1. > Which file controls the User-Name translation? Nothing. It's the client device that is responsible for sending the EAP identity (which gets copied to the User-Name). If the client device does it wrong... the user won't be authenticated. This is actually a significant problem for more than just EAP-TLS. I'm in the process of updating RFC4282. The changes should help guide implementors as to what to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
