Ivan Kalik <tnt@kalik.net> wrote:
We are currently using EAP-TLS authentication with FreeRADIUS at the place where I work right now. Management would like to be able to restrict the use of a given certificate for this authentication to specific MAC addresses. In other words, for each certificate, the desire is to tie that certificate to one or a couple MAC addresses, and to say that that certificate may only be used if it is coming from those specific MAC addresses. If the certificate is used from a different MAC address, then authentication should fail.
I have tried to look for info on this on the web to no avail. I also understand that EAP-TLS authentication generally needs to be left out of the users file. But the only way that I can think of to restrict MAC addresses would be to place some kind of line involving a Calling-Station-ID in the users file. So I am at a loss.
If you put something like:
username Calling-Station-Id != whatever, Auth-Type := Reject
user will not be able to connect.
Ivan Kalik Kalik Informatika ISP
So how would I do the same thing for a certificate instead of a username? Or would I use something like the CN value on the certificate as the username? Alternatively, could I use something involving %{User-Name} and %{Calling-Station-Id} in the check_cert_cn parameter in eap.conf? Thank you very much for your help. John Guthrie guthrie@counterexample.org