radius x509 authentication + LDAP ? [SEC=UNCLASSIFIED]
Riccardo Veraldi
Riccardo.Veraldi at cnaf.infn.it
Sat May 24 21:02:38 CEST 2008
Hello,
the problem is this.
Not all the people having a certificate should authenticate on my WiFi
infrastructure.
These certificates are for general purpose, so also for EAP-TLS,
but some user in my case should not be authenticated.
To select which are the users to be authenticated and which are not,
I wanted to use LDAP properties. If a user is in the LDAP directory
it should pass, if it is not, it should be refused, but at the end, I am
unable to do it.
So my question now is. Can I use the OU field to select if the user is
valid or not ?
How can I tell freeradius to reject users which has X509 certificate
with a OU different
from a certain value ?
thanks
Rick
Alan DeKok wrote:
> Riccardo Veraldi wrote:
>
>> but still authentication is succesful using EAP-TLS even if user is not
>> in LDAP Directory.
>>
>> any hints ?
>>
>
> That's how EAP-TLS works. If you issued them a certificate, it means
> that they are authenticated.
>
> If you don't want to authenticate them, I'm curious why you issued
> them a certificate.
>
> But if you still want to reject them... you can. Just put them into
> an LDAP group, and reject everyone in that LDAP group.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list