On Feb 7, 2020, at 7:37 AM, uj2.hahn@posteo.de wrote:
Question: What is an easy way to reject users who are going to connect from a machine which does not have the appropriate client certificate? Note: I'm talking about special users only.
There's no clear definition of "special user".
Background: At school we have a bunch of electronic whiteboards with WLAN. All of them have the same username/passwd with client certs installed. Just to be on safe side I like to make sure that nobody else is abusing this username/passwd from another device. You never know....
Check MAC addresses of end user devices. Or even better, give each device it's own name / password / client cert. That way if it shows up in two locations, you know one of them is fraudulent. You can also give each device a username and cert name based on the MAC address of the device. Which means that you can cross-check the MAC in the certificate against the one in the RADIUS packet. Alan DeKok.