On 10 Jan 2012, at 2:27 PM, Alan DeKok wrote: >> Would there be any ill effects if the rlm_eap_tls certificate parsing was >> moved from the authenticate section to the authorize section? > > Likely not. But the difficulty is doing that *only* for the EAP-TLS > code. The EAP modules currently do all of their work in the > "authenticate" section, for good reason. Nearly everything in EAP is > based on authentication. So doing the work in another section would be > hard.
Hmmm... I think I have worked around my problem for now with the check_client_san patch, as with it I can enforce that User-Name matches the subjectAltName, and then use the User-Name as the key for authorization. Regards, Graham --
smime.p7s
Description: S/MIME cryptographic signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
