radius x509 authentication + LDAP ? [SEC=UNCLASSIFIED]
Riccardo Veraldi
Riccardo.Veraldi at cnaf.infn.it
Mon May 26 11:26:26 CEST 2008
I wrote a rule in users file to reject login for users being in a
certain grup, but still access is given
DEFAULT Ldap-Group == "cn=rjgroup", Auth-Type := Reject
Reply-Message = "Sorry, you are not allowed to have dialup access"
user can authenticate succesfully with EAP-TLS.
User is found in LDAP tree, user is part of ldap group rjgroup, but
still is not being rejected.
What am I missing ?
thanks
Riccardo
Alan DeKok ha scritto:
> Riccardo Veraldi wrote:
>
>> Not all the people having a certificate should authenticate on my WiFi
>> infrastructure.
>> These certificates are for general purpose, so also for EAP-TLS,
>>
>
> Then your PKI system is wrong. You should NOT issue certificates for
> multiple purposes.
>
> You should issue RADIUS (EAP-TLS) certificates ONLY to the people who
> are allowed to use EAP-TLS.
>
>
>> but some user in my case should not be authenticated.
>> To select which are the users to be authenticated and which are not,
>> I wanted to use LDAP properties. If a user is in the LDAP directory
>> it should pass, if it is not, it should be refused, but at the end, I am
>> unable to do it.
>>
>
> Did you read my statement about using LDAP groups? Do you know what
> an LDAP group is?
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list