Eric Belcher wrote:
Each student is issued with a certificate that is used to authenticate him to the radius server. The certificate name is his MAC address. A corresponding NDS account exists for this MAC address.
I presume that's with EAP-TLS?
However, I have found a flaw I can't seem to find an answer for. I'm hoping someone can help.
If the NDS account does not exist, as long as the SSL certificate is not revoked and is in the Freeradius database, the student will gain access.
That's how EAP-TLS works. The certificate is valid, not revoked, so the user *may* be allowed in.
The radius server, does a lookup, can't find the account and just continues on. I need the radius server to reject access is an missing attribute causing a rejection if the account can't be found.
doc/configurable_failover. If the ldap module returns "notfound", you can reject the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog