Hello, the problem is this. Not all the people having a certificate should authenticate on my WiFi infrastructure. These certificates are for general purpose, so also for EAP-TLS, but some user in my case should not be authenticated. To select which are the users to be authenticated and which are not, I wanted to use LDAP properties. If a user is in the LDAP directory it should pass, if it is not, it should be refused, but at the end, I am unable to do it. So my question now is. Can I use the OU field to select if the user is valid or not ? How can I tell freeradius to reject users which has X509 certificate with a OU different from a certain value ? thanks Rick Alan DeKok wrote:
Riccardo Veraldi wrote:
but still authentication is succesful using EAP-TLS even if user is not in LDAP Directory.
any hints ?
That's how EAP-TLS works. If you issued them a certificate, it means that they are authenticated.
If you don't want to authenticate them, I'm curious why you issued them a certificate.
But if you still want to reject them... you can. Just put them into an LDAP group, and reject everyone in that LDAP group.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html