MAC address restriction with EAP-TLS

John T. Guthrie III guthrie at
Tue Jan 27 22:53:22 CET 2009

Ivan Kalik <tnt at> wrote:
> >> >We are currently using EAP-TLS authentication with FreeRADIUS at the place
> >> >where I work right now.  Management would like to be able to restrict the use
> >> >of a given certificate for this authentication to specific MAC addresses.  In
> >> >other words, for each certificate, the desire is to tie that certificate to
> >> >one or a couple MAC addresses, and to say that that certificate may only be
> >> >used if it is coming from those specific MAC addresses.  If the certificate is
> >> >used from a different MAC address, then authentication should fail.
> >> >
> >> >I have tried to look for info on this on the web to no avail.  I also
> >> >understand that EAP-TLS authentication generally needs to be left out of the
> >> >users file.  But the only way that I can think of to restrict MAC addresses
> >> >would be to place some kind of line involving a Calling-Station-ID in the users
> >> >file.  So I am at a loss.
> >>
> >> If you put something like:
> >>
> >> username   Calling-Station-Id != whatever, Auth-Type := Reject
> >>
> >> user will not be able to connect.
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >
> >So how would I do the same thing for a certificate instead of a username?
> Ther will be a username in EAP-TLS request too.

>From everything that I have been able to read, the user name in a EAP-TLS
request should come from the CN value of the certificate.  Does this
sound correct?


John Guthrie
guthrie at

More information about the Freeradius-Users mailing list