Am 03.08.2012 22:06, schrieb Alan DeKok:
Klaus Klein wrote:
I'm working on securing the access to a WLAN network with
WPA2-Enterprise, EAP-TLS and a FreeRADIUS server.
Which uses certificates for authentication.
Correct.
Everything seemed to work as expected until realized that a client will
be authenticated (by eap) even if the user(name), provided with the
mandatory "identifier" entry in wpa_supplicant.conf, doesn't exist in
the users file.
That's how EAP-TLS works.
Is it then correct that the 'check_cert_cn' option in eap.conf is the only way
to prevent anyone on the client side to tamper with the identity entry, and
thereby avoiding restrictions (e.g. Login-Time) for that client?
Or is ther a other/better way to tie any setting to a EAP-TLS authenticated
client?
Cheers,
Klaus
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
