On 08 Jan 2012, at 5:01 PM, Alan DeKok wrote: >> When using client certificates in EAP-TLS, the check_cert_cn option exists >> that allows you to check that the username matches the CN. Is there a >> corresponding option somewhere that will allow you to verify the User-Name >> against the subjectAltName instead? > > In the latest version of the server, see > raddb/sites-available/default. Look for TLS-Cert
That wasn't quite what I was after, but rather a generic way to ensure the User-Name matches either dnsName or rfc822Name in the subjectAltName, depending on whether the peer was a host or a person. Turned out the patch to implement this was simple, for freeradius-server-master:
freeradius-master-check_cert_san.patch
Description: Binary data
And this is the same patch, backported to v2.1.x:
freeradius-check_cert_san.patch
Description: Binary data
It adds a check_user_san option, which some googling showed past people have asked about. Regards, Graham --
smime.p7s
Description: S/MIME cryptographic signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
