Greetings, I'm working with the EAP-TLS configuration and one thing I'd like to do is to be able to restrict a certificate to use on a specific device. In most cases, I can get this to work: check_cert_cn = %{User-Name}-%{Calling-Station-Id}
However, by default WindowsXP is using the value of CN from the certificate as the username so I get a value which matches check_cert_cn = %{User-Name} making it hard to integrate the Calling-Station-Id into the comparison. Full regexp comparisons don't seem to be available, at least that used to be the case based on my reading of the mailing list archives. Is there some other way to accomplish this? I was thinking if perhaps the certificate attributes ended up in a place where I could perform more thorough unlang comparisons I could get the same effect. The authentication eventually passes through the users file, and the User-Name and Calling-Station-Id should be available there but I don't know if I can access the CN or other certificate attributes there. Does anybody know if this is possible? As a fallback, I can have the XP users jump through more configuration hoops, or put only the Calling-Station-Id into the CN but I do like having the username in there as well. Thanks in advance, -David Mitchell -- ----------------------------------------------------------------- | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | ----------------------------------------------------------------- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html