On Wednesday 02 December 2009 12:05:14 am Alan DeKok wrote: > gera wrote: > > BUT, we noted an interesting behaviour. If the client specify Windows to > > use another username to login, although freeradius complaints that the > > user doesn't exist on ldap, it seems it still accepts this user, as long > > as the certificate is fine. > > That's how EAP-TLS works.
Ok, I understand. But, is it any way in what we can only take care of the commonName on the certificate, ignoring what the user is sending in? > > > So, in this case, if the user isn't allowed to login > > because of simultaneous use, he still can change the username which he > > uses specifying another one (whichever, even if it doesn't exist) and > > voilá! He can now log in. > > > > I'm sure I'm missing something, but I'm not sure what. > > You need to update the CRL to revoke the certificate. The user then > can't use it for authentication. But in this case, the user will no longer be able to login to the system, until he gets a new certificate, right? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
