Whein using EAP-TLS, is there any sane way of restricting the use of a CA Certificate to a subset of the possible identities? I.e., is it possible to configure a single FreeRADIUS 2 server to accept users @foo.my.domain only if their Certificates are signed with CA-Cert.foo and users @bar.my.domain only if theirs are signed with CA-Cert.bar?
It looks a bit tough because (if I got it right) eap.conf doesn't use unlang and no information whatsoever from the CA Certificate used for verification is available as an attribute. Alternatively, is it possible to log the name of the CA certificate on successful login? So that even if the logged user identity is [email protected] the log shows that the user cert was actually issued by bar.my.domain. Thanks for any hints. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
