Freeradius EAP-TLS client/server certificate

Hi

This question is rather a certificate question but ...
How does EAP-TLS certificate authentification work?

As I know the server sends his certificate first with his public key to
the client.
The client sends his certificate to the radius server.

I had first the username of the client (identity string of EAP) in the
users file.
My client is authorized.
Than I deleted the user and the client is still accepted.

How can I restrict the clients?

Does it mean that every generated certificate which is not revoked can
be used
i.e. is authorized?

The same is for the server side. How can I guaranty I'm on the right server
if I don't have the server certificate on the client (supplicant) side?

In the wpa_supplicant config file there are "talking" about Phase1
(outer authentication)
and Phase2 (inner authentication) but only for EAP-PEAP or EAP-TTLS and
it says
"Following certificate/private key fields are used in inner Phase2"

I'm really confused.

Is there any good beginner docu about certificate authentification and
EAP-TLS works.
But please not rfc 2246 ...

I'm working with freeradius-1.0.2, wpa_supplicant-0.3.8 as Supplicant
and a Linsys WRT54G as NAS.

Thanks a lot

Beat

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html