MAC address restriction with EAP-TLS

John T. Guthrie III guthrie at counterexample.org
Mon Jan 26 03:45:35 CET 2009


Ivan Kalik <tnt at kalik.net> wrote:
> >We are currently using EAP-TLS authentication with FreeRADIUS at the place
> >where I work right now.  Management would like to be able to restrict the use
> >of a given certificate for this authentication to specific MAC addresses.  In
> >other words, for each certificate, the desire is to tie that certificate to
> >one or a couple MAC addresses, and to say that that certificate may only be
> >used if it is coming from those specific MAC addresses.  If the certificate is
> >used from a different MAC address, then authentication should fail.
> >
> >I have tried to look for info on this on the web to no avail.  I also
> >understand that EAP-TLS authentication generally needs to be left out of the
> >users file.  But the only way that I can think of to restrict MAC addresses
> >would be to place some kind of line involving a Calling-Station-ID in the users
> >file.  So I am at a loss.
> 
> If you put something like:
> 
> username   Calling-Station-Id != whatever, Auth-Type := Reject
> 
> user will not be able to connect.
> 
> Ivan Kalik
> Kalik Informatika ISP

So how would I do the same thing for a certificate instead of a username?  Or
would I use something like the CN value on the certificate as the username?
Alternatively, could I use something involving %{User-Name} and
%{Calling-Station-Id} in the check_cert_cn parameter in eap.conf?

Thank you very much for your help.

John Guthrie
guthrie at counterexample.org



More information about the Freeradius-Users mailing list