Hal Pomeranz <[EMAIL PROTECTED]> wrote:
> I don't fully understand from the docs what
> this parameter is doing exactly. Is this supposed to work? Is there
> some configuration (perhaps in my users file) that I'm missing? What
> is the impact of NOT setting this parameter?
The issue is that the User-Name attribute may be different than the
CN in the certificate. i.e. I steal your certificate and use it.
This check tries to ensure that the person using the certificate is
the one who's supposed to be using it.
The impact of not setting it is usually minor.
We've found in testing that the XP supplicant (with certain patches) will read the certificate and send a User-Name that is constructed from the certificate CN (host/ + cert CN); thus rendering the whole "checking the CN process" fairly pointless for XP supplicants.
Cheers,
Ben
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
