EAP-TLS - Authenticating only certain users
When using EAP-TLS as the only method in freeradius, is there a way to define a list of allowed users, perhaps by the CN on their client certificate? I want it so that not *everyone* who has a certificate signed by the CA list can authenticate, but rather a select few (of which I know the CN of their certificates). Thanks... Stephen
Stephen Bowman wrote:
When using EAP-TLS as the only method in freeradius, is there a way to define a list of allowed users, perhaps by the CN on their client certificate?
Or the User-Name attribute, which should be the same as the client CN. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Ok, so I put a list of usernames in the users file with an Auth-Type := EAP ? Right now, everyone with a valid client certificate is authenticated (nobody is listed in the users file). Once I start enumerating them in the users file, will it have an implicit deny all of everyone who isn't in the users file? Also - is there a way to define a different users file per NAS? On 2/17/07, Alan DeKok <aland@deployingradius.com> wrote:
Stephen Bowman wrote:
When using EAP-TLS as the only method in freeradius, is there a way to define a list of allowed users, perhaps by the CN on their client certificate?
Or the User-Name attribute, which should be the same as the client CN.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stephen Bowman wrote:
Ok, so I put a list of usernames in the users file with an Auth-Type := EAP ?
No. Setting Auth-Type is almost always wrong. In this case, it will do nothing. Instead, put the "good" users into a group (see "man rlm_passwd"). Then, reject everyone who isn't in that group.
Right now, everyone with a valid client certificate is authenticated (nobody is listed in the users file). Once I start enumerating them in the users file, will it have an implicit deny all of everyone who isn't in the users file?
No.
Also - is there a way to define a different users file per NAS?
It's a bit of work, but sure. See "Autz-Type". Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Stephen Bowman