LDAP authentication allowed if User Object does not exist.

Eric Belcher Eric.Belcher at acgs.qld.edu.au
Thu Feb 22 07:39:48 CET 2007 

Hi,
 
I'm using freeradius on a SUSE 10 server. I'm using it to authenticate
WPA2 wireless clients to Novell eDirectory. There is a twofold process.
Being a school security is quite an issue.
 
Each student is issued with a certificate that is used to authenticate
him to the radius server. The certificate name is his MAC address. A
corresponding NDS account exists for this MAC address.
 
So, if the student installs his certificate and has an account in NDS,
he is authenticated and the wireless access point allows an IP address
to be obtained and the student has access. Using the NDS account I can
limit the students access by changing the parameters of his MAC account.
ie, allowed times. THIS IS ALL WORKING WELL.
 
However, I have found a flaw I can't seem to find an answer for. I'm
hoping someone can help.
 
If the NDS account does not exist, as long as the SSL certificate is
not revoked and is in the Freeradius database, the student will gain
access. The radius server, does a lookup, can't find the account and
just continues on. I need the radius server to reject access is an
missing attribute causing a rejection if the account can't be found.
 
Can anyone tell me how I can do this?
Thanks
Eric Belcher
 
 
Eric Belcher
Manager - Technology Services
Anglican Church Grammar School
Oaklands Parade, East Brisbane
Eric.Belcher at acgs.qld.edu.au 
Phone 617 3896 2186
Fax 617 3891 5976

Disclaimer

This email is intended for the use of the named individual or entity and
may contain confidential and privileged information. Any dissemination
distribution or copying by anyone other than the intended recipient of
this email is strictly prohibited. If this email has been received in
error, please send an email in response, or telephone us immediately on
+61 7 38962200, and destroy the original message. Any views expressed in
this message are those of the individual sender, except where the sender
specifically states them to be the views of the Corporation of the Synod
of the Diocese of Brisbane or Churchie. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070222/c8ec4054/attachment.html>

More information about the Freeradius-Users mailing list