> From: Klaus Heck [mailto:[EMAIL PROTECTED]] > Sent: den 11 december 2002 13:06 > To: [EMAIL PROTECTED] > Subject: Security flaw in EAP/TLS > > > I'm using EAP/TLS authentication with a aironet 350 ap and > win2k client. > > The win2k client (as the nt client) allow to specify a login > name different from the name within the certificate. Now, the > user name in the cert is used for auth but the (different) > login name is stored in the UserName attribute of my > accounting table (MySql). If I know a valid user other than > me, I can log in with my cert but let the other one pay for > it.
Yes, this was discussed on this list a couple of weeks ago: http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg11193.html > Is there a way to make sure that the user name and the > login name are the same? Sure, but you will have to add code to the rlm_eap_tls module. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html