From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 27 Sep 2010 12:02:05 +0000 (+0200)
Subject: Note TLS-Client-Cert-* attributes
X-Git-Tag: release_2_1_10~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=faf639a84ff77ec77a09398b024028ea5e4a37ed;p=thirdparty%2Ffreeradius-server.git

Note TLS-Client-Cert-* attributes
---

diff --git a/raddb/eap.conf b/raddb/eap.conf
index 4e769ee420a..b34acbe7b61 100644
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -234,6 +234,11 @@
 		       #  match, the cerficate verification will fail,
 		       #  rejecting the user.
 		       #
+		       #  In 2.1.10 and later, this check can be done
+		       #  more generally by checking the value of the
+		       #  TLS-Client-Cert-Issuer attribute.  This check
+		       #  can be done via any mechanism you choose.
+		       #
 		#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
 
 		       #
@@ -247,6 +252,11 @@
 		       #  "check_cert_issuer" is not set, or if
 		       #  the check succeeds.
 		       #
+		       #  In 2.1.10 and later, this check can be done
+		       #  more generally by checking the value of the
+		       #  TLS-Client-Cert-CN attribute.  This check
+		       #  can be done via any mechanism you choose.
+		       #
 		#	check_cert_cn = %{User-Name}
 		#
 			# Set this option to specify the allowed
@@ -286,6 +296,9 @@
 			#  copied from the cache, and placed into the
 			#  reply list.
 			#
+			#  You probably also want "use_tunneled_reply = yes"
+			#  when using fast session resumption.
+			#
 			cache {
 			      #
 			      #  Enable it.  The default is "no".