From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 27 Sep 2010 12:02:05 +0000 (+0200)
Subject: Note TLS-Client-Cert-* attributes
X-Git-Tag: release_3_0_0_beta0~1222
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=freeradius.git;a=commitdiff_plain;h=1950077e6802158e211fa894e26727ff4a57fb6c

Note TLS-Client-Cert-* attributes
---

diff --git a/raddb/eap.conf b/raddb/eap.conf
index 4e769ee..b34acbe 100644
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -234,6 +234,11 @@
 		       #  match, the cerficate verification will fail,
 		       #  rejecting the user.
 		       #
+		       #  In 2.1.10 and later, this check can be done
+		       #  more generally by checking the value of the
+		       #  TLS-Client-Cert-Issuer attribute.  This check
+		       #  can be done via any mechanism you choose.
+		       #
 		#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
 
 		       #
@@ -247,6 +252,11 @@
 		       #  "check_cert_issuer" is not set, or if
 		       #  the check succeeds.
 		       #
+		       #  In 2.1.10 and later, this check can be done
+		       #  more generally by checking the value of the
+		       #  TLS-Client-Cert-CN attribute.  This check
+		       #  can be done via any mechanism you choose.
+		       #
 		#	check_cert_cn = %{User-Name}
 		#
 			# Set this option to specify the allowed
@@ -286,6 +296,9 @@
 			#  copied from the cache, and placed into the
 			#  reply list.
 			#
+			#  You probably also want "use_tunneled_reply = yes"
+			#  when using fast session resumption.
+			#
 			cache {
 			      #
 			      #  Enable it.  The default is "no".