hostapd.eap_user partial matching of username.

Jouni Malinen j
Fri Aug 14 13:09:33 PDT 2015


On Thu, Aug 13, 2015 at 10:18:05AM -0700, Alexis Salinas wrote:
> I'm testing hostapd's RADIUS functionality using EAP-TLS. Everything works (clients get authenticated) when I use either * or the full SAN (Subject Alt Name) as username e.g. "laptop1 at example.com"
> 
> I'm wondering if it is possible to do partial matching of the SAN, something like *@example.com. So that all machines with a SAN containing the domain "@example.com" would be authenticated without having to list them individually. (   "laptop1 at example.com",   "laptop2 at example.com" )

That is not currently supported. Only two types of wildcards can be
used: the full wildcard * will match everything (e.g., to enable
EAP-TLS/TTLS/PEAP) and prefix wildcard "prefix"* will allow any value
following the specific prefix (for EAP-SIM/AKA/AKA').

> Alternatively, can one use a partial DN as the username? e.g the value of OU=group1 or O=example.

There is no support for using DN in matching hostapd.eap_user
information.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list