LDAP authentication allowed if User Object does not exist.
aland at deployingradius.com
Fri Feb 23 09:38:36 CET 2007
Eric Belcher wrote:
> Each student is issued with a certificate that is used to authenticate
> him to the radius server. The certificate name is his MAC address. A
> corresponding NDS account exists for this MAC address.
I presume that's with EAP-TLS?
> However, I have found a flaw I can't seem to find an answer for. I'm
> hoping someone can help.
> If the NDS account does not exist, as long as the SSL certificate is not
> revoked and is in the Freeradius database, the student will gain access.
That's how EAP-TLS works. The certificate is valid, not revoked, so
the user *may* be allowed in.
> The radius server, does a lookup, can't find the account and just
> continues on. I need the radius server to reject access is an missing
> attribute causing a rejection if the account can't be found.
If the ldap module returns "notfound", you can reject the user.
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users