EAP-TLS - Authenticating only certain users

Alan DeKok aland at deployingradius.com
Sat Feb 17 21:24:06 CET 2007

Stephen Bowman wrote:
> Ok, so I put a list of usernames in the users file with an Auth-Type :=
> EAP ?

  No.  Setting Auth-Type is almost always wrong.  In this case, it will
do nothing.

  Instead, put the "good" users into a group (see "man rlm_passwd").
Then, reject everyone who isn't in that group.

> Right now, everyone with a valid client certificate is authenticated
> (nobody is listed in the users file).  Once I start enumerating them in
> the users file, will it have an implicit deny all of everyone who isn't
> in the users file?


> Also - is there a way to define a different users file per NAS?

  It's a bit of work, but sure.  See "Autz-Type".

  Alan DeKok.
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

More information about the Freeradius-Users mailing list