How to deny user with changed username when using EAP-TLS

Marcos González mgtroyas at gmail.com
Thu Sep 28 10:28:37 CEST 2006


=?ISO-8859-1?Q?Marcos_Gonz=E1lez?= <mgtroyas at gmail.com> wrote:

>> Is there any way to allow known users (those whose UserName appears in
>> radcheck) access, but deny unknown (all other) users?

>
>Huh?  If the user & password aren't known to the server, the default
>*is* to reject them.  If that isn't happening, then something in your
>config is allowing them in.
>
>As always, run the server in debugging mode to see what's going on.
>
>Alan DeKok.


I think as I'm using digital certificates (EAP-TLS) to authenticate
users, and the user has a valid one, if there aren't any aditional
checks in radcheck, the user has already been authenticated due to the
certificate, and is allowed to enter the network. Is that right?

If that's the case, I think about using the exec module to call a
external shell script which checks if 'UserName' is included in my
database, and if it's not, modify 'UserName' to something like
'Unauthorized', user that will be in a group with an 'Auth-Type = Deny'.
Do you think there's an easier way?

Thank you for your help.





More information about the Freeradius-Users mailing list