Note TLS-Client-Cert-* attributes

[freeradius.git] / raddb / eap.conf

diff --git a/raddb/eap.conf b/raddb/eap.conf
index 4e769ee..b34acbe 100644 (file)
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -234,6 +234,11 @@
                       #  match, the cerficate verification will fail,
                       #  rejecting the user.
                       #
+                      #  In 2.1.10 and later, this check can be done
+                      #  more generally by checking the value of the
+                      #  TLS-Client-Cert-Issuer attribute.  This check
+                      #  can be done via any mechanism you choose.
+                      #
                #       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
 
                       #
@@ -247,6 +252,11 @@
                       #  "check_cert_issuer" is not set, or if
                       #  the check succeeds.
                       #
+                      #  In 2.1.10 and later, this check can be done
+                      #  more generally by checking the value of the
+                      #  TLS-Client-Cert-CN attribute.  This check
+                      #  can be done via any mechanism you choose.
+                      #
                #       check_cert_cn = %{User-Name}
                #
                        # Set this option to specify the allowed
@@ -286,6 +296,9 @@
                        #  copied from the cache, and placed into the
                        #  reply list.
                        #
+                       #  You probably also want "use_tunneled_reply = yes"
+                       #  when using fast session resumption.
+                       #
                        cache {
                              #
                              #  Enable it.  The default is "no".