Hiding the EAP-TLS match user by certificate behind an admin option, disabled by default

2025-07-07 08:14:58 +03:00 · 2023-01-24 11:31:10 +03:00
parent 149096e13c
commit 0a60cdf141
9 changed files with 9 additions and 1 deletions
--- a/src/Cedar/Hub.c
+++ b/src/Cedar/Hub.c
@ -45,6 +45,7 @@ static bool g_vgs_emb_tag = false;
 ADMIN_OPTION admin_options[] =
 {
 	{"allow_hub_admin_change_option", 0},
+	{"allow_eap_tls_match_user_by_cert", 0},
 	{"max_users", 0},
 	{"max_multilogins_per_user", 0},
 	{"max_groups", 0},
--- a/src/Cedar/Proto_PPP.c
+++ b/src/Cedar/Proto_PPP.c
@ -1295,7 +1295,7 @@ bool PPPProcessEAPResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req
 				AcLock(hub);
 				{
 					USER *user = AcGetUser(hub, p->Eap_Identity.UserName);
-					if (user == NULL)
+					if (user == NULL && GetHubAdminOption(hub, "allow_eap_tls_match_user_by_cert") == true)
 					{
 						user = AcGetUserByCert(hub, p->Eap_Identity.UserName);
 						if (user != NULL)