From 1950077e6802158e211fa894e26727ff4a57fb6c Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Mon, 27 Sep 2010 14:02:05 +0200
Subject: [PATCH] Note TLS-Client-Cert-* attributes

---
 raddb/eap.conf | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/raddb/eap.conf b/raddb/eap.conf
index 4e769ee..b34acbe 100644
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -234,6 +234,11 @@
 		       #  match, the cerficate verification will fail,
 		       #  rejecting the user.
 		       #
+		       #  In 2.1.10 and later, this check can be done
+		       #  more generally by checking the value of the
+		       #  TLS-Client-Cert-Issuer attribute.  This check
+		       #  can be done via any mechanism you choose.
+		       #
 		#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
 
 		       #
@@ -247,6 +252,11 @@
 		       #  "check_cert_issuer" is not set, or if
 		       #  the check succeeds.
 		       #
+		       #  In 2.1.10 and later, this check can be done
+		       #  more generally by checking the value of the
+		       #  TLS-Client-Cert-CN attribute.  This check
+		       #  can be done via any mechanism you choose.
+		       #
 		#	check_cert_cn = %{User-Name}
 		#
 			# Set this option to specify the allowed
@@ -286,6 +296,9 @@
 			#  copied from the cache, and placed into the
 			#  reply list.
 			#
+			#  You probably also want "use_tunneled_reply = yes"
+			#  when using fast session resumption.
+			#
 			cache {
 			      #
 			      #  Enable it.  The default is "no".
-- 
2.1.4