hi
If the realm is stripped away, wouldn't this work just
fine as long as you just verify the User-Name against the
certificate and ignore the EAP identity? e.g., but then you
propose to not verify the equality of all THREE fields.
Yes. As we have discussed the important point is to
James Xie wrote:
Hi, Can I say both of you premise that NAS(radius client) must set
User-Name value to eap-id? I see in FreeRadius that the username to
i can't speak for Lars, but i would say yes, that's what is dictated by
the standard. the ap must set the User-Name to eap-id since it is the
From: Artur Hecker [mailto:[EMAIL PROTECTED]]
James Xie wrote:
Hi, Can I say both of you premise that NAS(radius client) must set
User-Name value to eap-id? I see in FreeRadius that the username to
i can't speak for Lars, but i would say yes, that's what is
dictated by the standard.
:)
Lars Viklund wrote:
Promise that it must is a bit strong :-) However, I would say that
a NAS that doesn't do this is broken.
so, you are stating the same :)) well, i would say, the first Radius
client MUST do so, because otherwise what could it probably put inside
of User-Name and why?
From: Artur Hecker [mailto:[EMAIL PROTECTED]]
Sent: den 20 november 2002 14:51
To: [EMAIL PROTECTED]
Subject: Re: eap_identity or username attribute? (to Artur and lars)
so you want the rlm_eap_tls to check if eap_id = certified identity,
right? sounds very reasonable for me, but in some
hi Lars
What wierd way are you refering to? Is it the Use a different user
name for the connection check box you are talking about or something
else?
yes, exactly.
so we probably shouldn't verify that...
But if you don't verify that the User-Name (or EAP identity, if you
have already
From: Artur Hecker [mailto:[EMAIL PROTECTED]]
Sent: den 20 november 2002 17:15
To: [EMAIL PROTECTED]
Subject: Re: eap_identity or username attribute? (to Artur and lars)
i agree with that too, but why does this box exist in Windows then? i
personally tend to think (and so I used it in that
hi Lars
I think the primary purpose is to allow the user to select a
certificate other than the one associated with the currently logged
in windows user. This makes perfect sense.
no, i'm sorry it doesn't :) i can take a certificate of lars and use
the name artur, windows has no problem
From: Artur Hecker [mailto:[EMAIL PROTECTED]]
Sent: den 20 november 2002 19:16
To: [EMAIL PROTECTED]
Subject: Re: eap_identity or username attribute? (to Artur and lars)
If the realm is stripped away, wouldn't this work just
fine as long as you just verify the User-Name against the
Hi,
Can I say both of you premise that NAS(radius client) must set User-Name value to
eap-id? I see in FreeRadius that the username to used authorize is set to User-Name
attibute value. If User-Name value is null then eap-id is set to it. Now if NAS sends
a packet to FreeRadius whose User-Name
10 matches
Mail list logo