How to deny user with changed username when using EAP-TLS
Hello, my name is Marcos and I'm developing an access control solution using FreeRADIUS+MySQL+Web frontend. I use check attributes in table 'radusercheck ' to allow or deny access on a per user basis. The problem is, if an user changes his 'UserName' in his wireless network adapter configuration, then there's no match in the table, and he enters the network bypassing my solution. There's an option in sql.conf that allows defining a DEFAULT profile, and also assigning it to non known users. But it's parsed after the normal check, so if I define an 'Auth-Type := Reject', both are denied, known and unknown users. Is there any way to allow known users (those whose UserName appears in radcheck) access, but deny unknown (all other) users? Thank you in advance.
=?ISO-8859-1?Q?Marcos_Gonz=E1lez?= <mgtroyas@gmail.com> wrote:
Is there any way to allow known users (those whose UserName appears in radcheck) access, but deny unknown (all other) users?
Huh? If the user & password aren't known to the server, the default *is* to reject them. If that isn't happening, then something in your config is allowing them in. As always, run the server in debugging mode to see what's going on. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Marcos González