Martin, If you want to leverage the existing user profiles in the RADIUS server for authentication, authorization, this Internet Draft TLS-EAP Extension http://tools.ietf.org/html/draft-nir-tls-eap-06 might be what you are looking for. Unfortunately, there is no implementation up to date as far as I know.
I am designing and developing the software for this Internet draft based on OpenSSL, EAP module from wpa-supplicant and freeradius client. Please let me know any special requirements if you are interested in using TLS-EAP Extension. Thanks, jay On Wed, Jul 1, 2009 at 2:14 PM, Alan DeKok<[email protected]> wrote: > Martin Schneider wrote: >> We need also authorization. So we want to >> >> 1.) check if the certificate is signed by a "trusted ca" > > That is done by the normal certificate validation process. > >> 2.) check if the username x in the certificate is "known" > > What does that mean? If the CA signed the certificate, then the > usename is known. Why would the CA sign a certificate for an unknown user? > >> 3.) check if the user with name x is authorized to access the service. > > That can be done with RADIUS. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
