I wrote a rule in users file to reject login for users being in a certain grup, but still access is given DEFAULT Ldap-Group == "cn=rjgroup", Auth-Type := Reject Reply-Message = "Sorry, you are not allowed to have dialup access" user can authenticate succesfully with EAP-TLS. User is found in LDAP tree, user is part of ldap group rjgroup, but still is not being rejected. What am I missing ? thanks Riccardo Alan DeKok ha scritto:
Riccardo Veraldi wrote:
Not all the people having a certificate should authenticate on my WiFi infrastructure. These certificates are for general purpose, so also for EAP-TLS,
Then your PKI system is wrong. You should NOT issue certificates for multiple purposes.
You should issue RADIUS (EAP-TLS) certificates ONLY to the people who are allowed to use EAP-TLS.
but some user in my case should not be authenticated. To select which are the users to be authenticated and which are not, I wanted to use LDAP properties. If a user is in the LDAP directory it should pass, if it is not, it should be refused, but at the end, I am unable to do it.
Did you read my statement about using LDAP groups? Do you know what an LDAP group is?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html