Re: Re: How to deny user with changed username when using EAP-TLS
=?ISO-8859-1?Q?Marcos_Gonz=E1lez?= <mgtroyas@gmail.com> wrote:
Is there any way to allow known users (those whose UserName appears in radcheck) access, but deny unknown (all other) users?
Huh? If the user & password aren't known to the server, the default *is* to reject them. If that isn't happening, then something in your config is allowing them in.
As always, run the server in debugging mode to see what's going on.
Alan DeKok.
I think as I'm using digital certificates (EAP-TLS) to authenticate users, and the user has a valid one, if there aren't any aditional checks in radcheck, the user has already been authenticated due to the certificate, and is allowed to enter the network. Is that right? If that's the case, I think about using the exec module to call a external shell script which checks if 'UserName' is included in my database, and if it's not, modify 'UserName' to something like 'Unauthorized', user that will be in a group with an 'Auth-Type = Deny'. Do you think there's an easier way? Thank you for your help.
I think as I'm using digital certificates (EAP-TLS) to authenticate users, and the user has a valid one, if there aren't any aditional checks in radcheck, the user has already been authenticated due to the certificate, and is allowed to enter the network. Is that right?
Yes. But you can still reject them before the certificate is validated. Or, you can have a Certificate Revocation List that marks their certificate as invalid.
If that's the case, I think about using the exec module to call a external shell script which checks if 'UserName' is included in my database, and if it's not, modify 'UserName' to something like 'Unauthorized', user that will be in a group with an 'Auth-Type = Deny'. Do you think there's an easier way?
See "rlm_exec". Run the script, and have the script print "Auth-Type := Reject" to stdout if the user isn't found. That should cause them to be rejected. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Marcos González