Oh, I've missed your point, sorry.This patch is against using some (for example, e-mail signing) certificate (issued by proper CA!) as wireless client's one, am I right on second try? :)
No :-) As I have said, this script is enhancement of the EAP-TLS authentication. Radius does usual TLS authenticatioin, user must have certificate issued by CA which is defined in freeradius in eap-tls configuration (you can use every certificate, you must have the CA certificate in path where freeradius searchs for CA certificates). After successful authentication this script gets the subject name and issuer and compare it against the list of allowed certificates. That's it:-)
I have gathered some comments and there is another solution: In eap authentication phase after successful authentication put whole client certificate into the request packet and write the eap-tls authorize section where the script (defined in some configuration file) will be started and whole certificate will be passed to this script. Then the script can process whole client certificate and can decide on
each field in the certificate. -- Michal Prochazka // [EMAIL PROTECTED] Supercomputing Center Brno Institute of Computer Science Masaryk University Botanicka 68a, 60200 Brno, CZ CESNET z.s.p.o. Zikova 4, 16200 Praha 6, CZ
smime.p7s
Description: S/MIME Cryptographic Signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
