> From: Artur Hecker [mailto:[EMAIL PROTECTED]] > Sent: den 19 november 2002 16:37 > To: [EMAIL PROTECTED] > Subject: Re: eap_identity or username attribute? > > > shouldn't those two be always set to the same? i can't > remember, but i think that i read something like this in the > "Usage of RADIUS with IEEE 802.1X" recommendations once... > > try to take a look. > > > James Xie wrote: > > HI, > > I am debuging EAP-TLS module. Who can tell me FreeRadius should use > > which value(eap_identity and username attribute of radius > packet) to > > authorize the supplicant? Now I am using rlm_sql module to > authorize > > the supplicant. Must I set username in database to eap_identity? If > > not, is there a safe hole? Thanks!
I think the critical point is that the rlm_eap_tls module should verify that the User-Name, that is used for authorization, corresponds to the client certificate used for authentication. It looks like it doesn't do this currently. The congdon ID specifies that the User-Name should be the EAP identity. It would perhaps make sense to have the rlm_eap module verify that the User-Name matches the EAP identity also, although this isn't critical unless the rlm_eap_tls module matches the identity, rather than the User-Name, against the certificate. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
