EAP-TLS client certificate verification problem
IB Development Team
dev at ib.pl
Tue Jan 19 15:03:33 EST 2021
Hello,
After reading
https://w1.fi/cgit/hostap/tree/hostapd/hostapd.eap_user
I'm trying to find a way to configure hostapd user database for
integrated EAP server (hostapd.eap_user text file) to allow only a few
client certs to be allowed to connect to AP using EAP-TLS.
I'm using hostapd 2:2.7+git20190128+0c1e29f-6+deb10u2 from Debian 10.
I would like only valid certs with CN=user1 and CN=user2 to be allowed
to connect. Valid certs from same CA but with different CN (i.e.
CN=user3) should NOT be allowed to connect.
With hostapd.eap_user
* TLS
"user1" TLS
"user2" TLS
or
* TLS
"user1" TLS [2]
"user2" TLS [2]
client using identity=user3 and valid cert with CN=user3 is allowed to
connect to AP.
With hostapd.eap_user
"user1" TLS
"user2" TLS
client using identity=user3 and valid cert with CN=user3 is NOT allowed
to connect to AP (blocked in phrase#1) but the same user may change
identity in connection properties and connect succesfully with
identity=user1 and valid cert with CN=user3.
How to force hostapd integrated EAP server (without external radius
service) to verify common name from client certs and allow only certs
with CN=user1 and CN=user2 to connect regardless of identity sent in
phrase#1 (here any login should be directed to TLS because identity is
not signed by CA = not trusted)?
--
Regards,
Paweł Bogusławski
IB Development Team
E: dev at ib.pl
More information about the Hostap
mailing list