How to deny user with changed username when using EAP-TLS

[Marcos González]

>> I think as I'm using digital certificates (EAP-TLS) to authenticate
>> users, and the user has a valid one, if there aren't any aditional
>> checks in radcheck, the user has already been authenticated due to the
>> certificate, and is allowed to enter the network. Is that right?
>
>  Yes.  But you can still reject them before the certificate is
>validated.  Or, you can have a Certificate Revocation List that marks
>their certificate as invalid.

Yes, I'm using them to reject users that, although having a valid
certificate, I want to be out of the network, and works OK. Only wanted
to aditionally prevent users that bypass my access control system
changing their 'UserName' to an unused one, accessing the network.

The revocation list is something I'll give a look, thanks!

>
> If that's the case, I think about using the exec module to call a
> external shell script which checks if 'UserName' is included in my
> database, and if it's not, modify 'UserName' to something like
> 'Unauthorized', user that will be in a group with an 'Auth-Type = Deny'.
> Do you think there's an easier way?
>
>  See "rlm_exec".  Run the script, and have the script print
>"Auth-Type := Reject" to stdout if the user isn't found.  That should
>cause them to be rejected.

Yes, It seems a good solution. Thank you very much!

>  Alan DeKok.