How to deny user with changed username when using EAP-TLS

[Alan DeKok]

> I think as I'm using digital certificates (EAP-TLS) to authenticate
> users, and the user has a valid one, if there aren't any aditional
> checks in radcheck, the user has already been authenticated due to the
> certificate, and is allowed to enter the network. Is that right?

  Yes.  But you can still reject them before the certificate is
validated.  Or, you can have a Certificate Revocation List that marks
their certificate as invalid.

> If that's the case, I think about using the exec module to call a
> external shell script which checks if 'UserName' is included in my
> database, and if it's not, modify 'UserName' to something like
> 'Unauthorized', user that will be in a group with an 'Auth-Type = Deny'.
> Do you think there's an easier way?

  See "rlm_exec".  Run the script, and have the script print
"Auth-Type := Reject" to stdout if the user isn't found.  That should
cause them to be rejected.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog